rules: add app layer events rules

author Eric Leblond <eric@regit.org>

Thu, 2 Apr 2015 16:21:40 +0000 (18:21 +0200)

committer Eric Leblond <eric@regit.org>

Thu, 2 Apr 2015 16:45:05 +0000 (18:45 +0200)
author Eric Leblond <eric@regit.org>
Thu, 2 Apr 2015 16:21:40 +0000 (18:21 +0200)
committer Eric Leblond <eric@regit.org>
Thu, 2 Apr 2015 16:45:05 +0000 (18:45 +0200)
diff --git a/rules/Makefile.am b/rules/Makefile.am

index cd3404336817856e10411b8062b7c3df632b6e86..7ab27bdf1e5612efd6342b8fdd129c5b80444704 100644 (file)
--- a/rules/Makefile.am
+++ b/rules/Makefile.am
@@ -6,4 +6,5 @@ http-events.rules \
  dns-events.rules \
  tls-events.rules \
  modbus-events.rules \
+app-layer-events.rules \
  files.rules
diff --git a/rules/app-layer-events.rules b/rules/app-layer-events.rules

new file mode 100644 (file)

index 0000000..4d2ac28
--- /dev/null
+++ b/rules/app-layer-events.rules
@@ -0,0 +1,14 @@
+# App layer event  rules
+#
+# SID's fall in the 2260000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+#
+# These sigs fire at most once per connection.
+#
+# A flowint applayer.anomaly.count is incremented for each match. By default it will be 0.
+#
+alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)
+alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)
+alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)
+alert ip any any -> any any (msg:"SURICATA Applayer Protocol detection skipped"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;)
+
+#next sid is 2260004
diff --git a/suricata.yaml.in b/suricata.yaml.in

index a2a566376ccf397ba39aa8e6b494a401030a5eb2..8189cbede69904162a2552b23f4e32a8da8e4c8f 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1086,6 +1086,7 @@ rule-files:
   - dns-events.rules     # available in suricata sources under rules dir
   - tls-events.rules     # available in suricata sources under rules dir
   - modbus-events.rules  # available in suricata sources under rules dir
+ - app-layer-events.rules  # available in suricata sources under rules dir
  
  classification-file: @e_sysconfdir@classification.config
  reference-config-file: @e_sysconfdir@reference.config
author	Eric Leblond <eric@regit.org>
	Thu, 2 Apr 2015 16:21:40 +0000 (18:21 +0200)
committer	Eric Leblond <eric@regit.org>
	Thu, 2 Apr 2015 16:45:05 +0000 (18:45 +0200)
rules/Makefile.am		patch \| blob \| blame \| history
rules/app-layer-events.rules	[new file with mode: 0644]	patch \| blob
suricata.yaml.in		patch \| blob \| blame \| history