--- /dev/null
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; sid:1021;)
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; sid:1022;)
+
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:102;)
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:103;)
+
+accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:107;)
+accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:109;)
+drop:flow tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:108;)
+drop:flow tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (tls.cert_chain_len:>2; sid:110; msg:"TLS certs chain length check"; alert;)
+accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:111;)
+accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:112;)
+accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:113;)
+accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:114;)
+
+
+# Implicit drop all else
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+
+ EXTERNAL_NET: "!$HOME_NET"
+
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert:
+ verdict: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ tls:
+ client-in-progress:
+ - "accept:hook"
+ client-hello-done:
+ - "drop:flow"
+ client-cert-done:
+ - "accept:hook"
+ client-handshake-done:
+ - "accept:hook"
+ client-finished:
+ - "accept:hook"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 110
+- filter:
+ count: 42
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.flow.tls: 1
+ stats.flow.total: 1
+ stats.ips.accepted: 19
+ stats.ips.blocked: 43
+ stats.ips.drop_reason.flow_drop: 42
+ stats.ips.drop_reason.rules: 1
+ stats.decoder.pkts: 62
--- /dev/null
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; sid:1021;)
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; sid:1022;)
+
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:102;)
+
+accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:107;)
+accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:109;)
+drop:flow tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:108;)
+drop:flow tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (tls.cert_chain_len:>2; sid:110; msg:"TLS certs chain length check"; alert;)
+accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:111;)
+accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:112;)
+accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:113;)
+accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:114;)
+
+# Implicit drop all else
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+
+ EXTERNAL_NET: "!$HOME_NET"
+
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert:
+ verdict: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ tls:
+ client-in-progress:
+ - "accept:hook"
+ client-hello-done:
+ - "accept:hook"
+ client-cert-done:
+ - "accept:hook"
+ client-handshake-done:
+ - "accept:hook"
+ client-finished:
+ - "accept:hook"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 110
+- filter:
+ count: 42
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.flow.tls: 1
+ stats.flow.total: 1
+ stats.ips.accepted: 19
+ stats.ips.blocked: 43
+ stats.ips.drop_reason.flow_drop: 42
+ stats.ips.drop_reason.rules: 1
+ stats.decoder.pkts: 62
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+# default accept:hook for http1:request_line
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+# default accept:hook for http1:request_body
+# default accept:hook for http1:request_trailer
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ http:
+ request-line:
+ - "accept:hook"
+ request-body:
+ - "accept:hook"
+ request-trailers:
+ - "accept:hook"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "closed"
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+# App-layer rules
+
+# accept sni to bing, not matching so call default reject policy
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"bing"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert:
+ verdict: true
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ verdict: true
+
+firewall:
+ policies:
+ tls:
+ client-hello-done:
+ - "reject:flow"
--- /dev/null
+requires:
+ min-version: 9
+ features:
+ - LIBNET1.1
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ alert.action: allowed
+ pcap_cnt: 6
+ verdict.action: drop
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ pcap_cnt: 6
+ verdict.action: drop
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+ verdict.action: accept
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+# packet rule accepted, also accepted at app layer
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ verdict.action: accept
+# packet rule accepted, dropped at app layer
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ verdict.action: drop
+# count all records with verdict field
+- filter:
+ count: 6
+ match:
+ verdict.action: accept
+# count all records with verdict field
+- filter:
+ count: 59
+ match:
+ verdict.action: drop
+- filter:
+ count: 3
+ match:
+ verdict.action: drop
+ verdict.reject_target: to_client
+ verdict.reject[0]: tcp-reset
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 5
+ stats.ips.rejected: 1
+ stats.ips.blocked: 56
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.rules: 0
+ stats.ips.drop_reason.flow_drop: 56
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+#accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+#accept:hook http1:request_trailers any any -> any any (alert; sid:105;)
+#accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ http:
+ request-started:
+ - "accept:hook"
+ request-trailer:
+ - "accept:hook"
+ request-complete:
+ - "accept:hook"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "closed"
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+#accept:hook http1:request_started any any -> any any (alert; sid:101;)
+#accept:hook http1:request_line any any -> any any (alert; sid:102;)
+#accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+#accept:hook http1:request_body any any -> any any (alert; sid:104;)
+#accept:hook http1:request_trailers any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ http:
+ request-started:
+ - "accept:hook"
+ request-line:
+ - "accept:hook"
+ request-headers:
+ - "accept:hook"
+ request-body:
+ - "accept:hook"
+ request-trailer:
+ - "accept:hook"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "closed"
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+accept:hook udp:all any any -> any any (sid:100;)
+# default drop
+
+# dns:request_started uses default policy
+accept:hook dns:request_complete any any -> any any (dns.query; content:"dropbox"; alert; sid:102;)
+
+accept:hook dns:response_started any any -> any any (alert; sid:201;)
+accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"dropbox"; alert; sid:202;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ dns:
+ request-started:
+ - "accept:hook"
+ request-complete:
+ - "drop:flow"
+ response-started:
+ - "accept:hook"
+ response-complete:
+ - "drop:flow"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../dns/dns-eve/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 2
+ match:
+ event_type: drop
+- filter:
+ count: 3
+ match:
+ event_type: flow
+ flow.pkts_toserver: 1
+ flow.pkts_toclient: 1
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 1
+ flow.pkts_toclient: 1
+ flow.alerted: false
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 6
+ stats.ips.blocked: 2
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 1
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+#accept:hook http1:request_started any any -> any any (alert; sid:101;)
+#accept:hook http1:request_line any any -> any any (alert; sid:102;)
+#accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+#accept:hook http1:request_body any any -> any any (alert; sid:104;)
+#accept:hook http1:request_trailers any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ http:
+ request-started:
+ - "accept:tx"
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# no match due to accept:tx policy
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "closed"
+ flow.alerted: false
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+#accept:hook http1:request_started any any -> any any (alert; sid:101;)
+#accept:hook http1:request_line any any -> any any (alert; sid:102;)
+#accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+#accept:hook http1:request_body any any -> any any (alert; sid:104;)
+#accept:hook http1:request_trailers any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+firewall:
+ policies:
+ http:
+ request-started:
+ - "accept:tx"
--- /dev/null
+alert http any any -> any any (http.host; content:"testmyids"; sid:5000;)
+alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; http.response_body; content:"uid=0|28|root|29|"; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# no match due to accept:tx policy
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "closed"
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5000
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2100498
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "reject:packet" ]
--- /dev/null
+requires:
+ min-version: 9
+ features:
+ - LIBNET1.1
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 59
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed" # TODO due to no drop being applied to the flow, we only drop after stream/app-layer
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.rejected: 59
+ stats.ips.drop_reason.default_packet_policy: 59
--- /dev/null
+# Packet rules
+
+# default policy: accept:packet
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:packet" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: false
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
--- /dev/null
+# Packet rules
+
+# should not match
+accept:hook tcp:all any any -> any any (flags:RF; sid:1;)
+
+# default packet policy: accept:hook
+
+# no app rules, so drop ?
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:hook" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 59
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "established"
+ flow.alerted: false
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 59
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 58
--- /dev/null
+# Packet rules
+
+# default packet policy: accept:hook
+
+# no app rules, so drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:hook" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 59
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "established"
+ flow.alerted: false
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 59
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 58
--- /dev/null
+# Packet rules
+
+# default packet policy: accept:hook
+
+# no app rules, so drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:hook" ]
+ tls:
+ client-in-progress: [ "accept:hook" ]
+ client-hello-done: [ "accept:hook" ]
+ client-cert-done: [ "accept:hook" ]
+ client-handshake-done: [ "accept:hook" ]
+ client-finished: [ "accept:hook" ]
+ server-in-progress: [ "accept:hook" ]
+ server-hello: [ "accept:hook" ]
+ server-hello-done: [ "accept:hook" ]
+ server-cert-done: [ "accept:hook" ]
+ server-handshake-done: [ "accept:hook" ]
+ server-finished: [ "accept:hook" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: false
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+# default packet policy: accept:hook
+
+# no app rules, so drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:hook" ]
+ tls:
+ client-in-progress: [ "accept:flow" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: false
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+# default packet policy: accept:hook
+
+# no app rules, so drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:flow" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: false
+ flow.action: accept
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
--- /dev/null
+# Packet rules
+
+# default packet policy: accept:hook
+
+# no app rules, so drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+
+
+firewall:
+ policies:
+ packet-filter: [ "accept:hook" ]
+ tls:
+ request-started: [ "accept:flow" ]
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: false
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.rejected: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.flow_drop: 0
projects / thirdparty / suricata-verify.git / commitdiff
