-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsnort_custom.rules
11 lines (10 loc) · 1.69 KB
/
snort_custom.rules
1
2
3
4
5
6
7
8
9
10
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: S; threshold: type both, track by_src, count 100, seconds 10; msg: "Possible SYN Flood detected"; sid: 1000001; rev: 1;)
alert http $EXTERNAL_NET any -> $HOME_NET 80 (msg: "Potential web shell attempt"; content: "cmd.exe"; http_uri; nocase; flow: to_server, established; sid: 1000002; rev: 1;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg: "Potential DNS Tunneling"; content: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; dsize: >50; sid: 1000003; rev: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "Possible SSH Brute Force Attack"; flow: to_server, established; detection_filter: track by_src, count 5, seconds 60; sid: 1000004; rev: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "FTP Command Injection Attempt"; content: "|20|;"; content: "LIST"; distance: 0; within: 20; sid: 1000005; rev: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "Possible DoublePulsar Exploit Attempt"; content: "|00 00 00 00 00 00 00 00|"; offset: 0; depth: 8; sid: 1000006; rev: 1;)
alert http $EXTERNAL_NET any -> $HOME_NET 80 (msg: "Possible SQL Injection Attempt"; content: "select "; nocase; pcre: "/union.*select.*from/i"; flow: to_server, established; sid: 1000007; rev: 1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "Possible RDP Brute Force Attack"; flow: to_server, established; detection_filter: track by_src, count 10, seconds 60; sid: 1000008; rev: 1;)
alert http $EXTERNAL_NET any -> $HOME_NET 80 (msg: "Possible XSS Attempt"; content: "<script>"; http_uri; nocase; flow: to_server, established; sid: 1000009; rev: 1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "Possible ICMP Tunneling"; dsize: >100; sid: 1000010; rev: 1;)