--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+
+app-layer:
+ protocols:
+ ike:
+ enabled: yes
--- /dev/null
+alert ike any any -> any any (msg:"ike initiator"; ike.init_spi; content:"e47a591fd057587f"; sid:1;)
+alert ike any any -> any any (msg:"ike responder"; ike.resp_spi; content:"a00b8ef0902bb8ec"; sid:2;)
+alert ike any any -> any any (msg:"ike hash algorithm"; ike.chosen_sa_attribute:alg_hash=2;sid:5;)
+alert ike any any -> any any (msg:"ike encryption algorithm"; ike.chosen_sa_attribute:alg_enc=7;sid:6;)
+alert ike any any -> any any (msg:"ike auth method"; ike.chosen_sa_attribute:alg_auth=1;sid:7;)
+alert ike any any -> any any (msg:"ike group description"; ike.chosen_sa_attribute:alg_dh=2;sid:8;)
+alert ike any any -> any any (msg:"ike life type"; ike.chosen_sa_attribute:sa_life_type=1;sid:15;)
+alert ike any any -> any any (msg:"ike life duration"; ike.chosen_sa_attribute:sa_life_duration=86400;sid:16;)
+alert ike any any -> any any (msg:"ike key length"; ike.chosen_sa_attribute:sa_key_length=128;sid:17;)
+alert ike any any -> any any (msg:"ike exchange type"; ike.exchtype:2; sid:11;)
+alert ike any any -> any any (msg:"ike vendor"; ike.vendor; content:"4a131c81070358455c5728f20e95452f"; sid:12;)
+alert ike any any -> any any (msg:"ike server key exchange"; ike.key_exchange_payload; content:"|6d026d5616c45be05e5b898411e9f95d195cea009ad22c62bef06c571b7cfbc4792f45564ec710ac584aa18d20cbc8f5f8910666b89e4ee2f95abc0230e2cba1b88ac4bba7fcc818a986c01a4ca865a5eb82884dbec85bfd7d1a303b09894dcf2e3785fd79dba225377cf8cca009ceffbb6aa38b648c4b05404f1cfaac361aff|"; flow:to_client; sid:13;)
+alert ike any any -> any any (msg:"ike client key exchange"; ike.key_exchange_payload; content:"|3504d3d2ed14e0ca03b851a51a9da2e5a4c14c1d7ec3e1fbe950025424514b3c69ed7fbb44e09225da52d2a92604a99bf61b7beed7fbfa635e82f065f4fe780751354dbe474c3de7207dcf69fdbbed32c1691cc149b318eee00370e65fc3069bbacfb013467173966e9d5f4bc4f3857e359bba3adbb6efeea516f3897d8534f3|"; flow:to_server; sid:14;)
+alert ike any any -> any any (msg:"ike key payload length"; ike.key_exchange_payload_length:>100; sid:9;)
+alert ike any any -> any any (msg:"ike nonce payload length"; ike.nonce_payload_length:<200; sid:3;)
+alert ike any any -> any any (msg:"ike nonce payload"; ike.nonce_payload; content:"|89d7c8fbf94b515b521d5d9589c2602021e1a709|"; sid:4;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/ike/parser.rs
+ min-version: 6.0.0
+
+checks:
+ - filter:
+ count: 5
+ match:
+ event_type: alert
+ alert.signature: "ike initiator"
+
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ alert.signature: "ike responder"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike nonce payload"
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature: "ike nonce payload length"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike hash algorithm"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike encryption algorithm"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike auth method"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike group description"
+
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature: "ike key payload length"
+
+ - filter:
+ count: 6
+ match:
+ event_type: alert
+ alert.signature: "ike exchange type"
+
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike vendor"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike server key exchange"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike client key exchange"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike life type"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike life duration"
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature: "ike key length"
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - ike
+ - flow
+
+app-layer:
+ protocols:
+ ike:
+ enabled: yes
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ files:
+ - rust/src/ike/parser.rs
+ min-version: 6.0.0
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: ike
+
+ - filter:
+ count: 1
+ match:
+ event_type: ike
+ ike.init_spi: "e47a591fd057587f"
+ ike.resp_spi: "a00b8ef0902bb8ec"
+ ike.exchange_type: 2
+ ike.ikev1.client.nonce_payload: "89d7c8fbf94b515b521d5d9589c2602021e1a709"
+ ike.ikev1.server.nonce_payload: "15b688421ed5c3dd92d3b86e47a76f0d39cc09e0"
+ ike.alg_enc: "EncAesCbc"
+ ike.alg_hash: "HashSha"
+ ike.alg_dh: "GroupAlternate1024BitModpGroup"
+ ike.alg_auth: "AuthPreSharedKey"
- filter:
count: 1
+ version: 4
match:
event_type: ikev2
ikev2.version_major: 2
ikev2.payload[1]: KeyExchange
ikev2.payload[2]: SecurityAssociation
ikev2.payload[3]: NoNextPayload
+
+ - filter:
+ count: 1
+ version: 5
+ match:
+ event_type: ikev2
+ ikev2.version_major: 2
+ ikev2.exchange_type: 34
+ ikev2.message_id: 0
+ ikev2.init_spi: "61d3693ce12af528"
+ ikev2.resp_spi: "0000000000000000"
+ ikev2.role: initiator
+ ikev2.errors: 0
+ ikev2.payload[0]: Nonce
+ ikev2.payload[1]: KeyExchange
+ ikev2.payload[2]: SecurityAssociation
+ ikev2.payload[3]: NoNextPayload
+
+ # from suricata version >=6 the event_type for ikev2 is ike
+ - filter:
+ count: 1
+ min-version: 6
+ match:
+ event_type: ike
+ ike.version_major: 2
+ ike.exchange_type: 34
+ ike.message_id: 0
+ ike.init_spi: "61d3693ce12af528"
+ ike.resp_spi: "0000000000000000"
+ ike.role: initiator
+ ike.ikev2.errors: 0
+ ike.payload[0]: Nonce
+ ike.payload[1]: KeyExchange
+ ike.payload[2]: SecurityAssociation
+ ike.payload[3]: NoNextPayload
projects / thirdparty / suricata-verify.git / commitdiff
