Last active
May 15, 2022 21:18
-
-
Save bluesku/ede79ffea1e9c745d12e8cb426f70961 to your computer and use it in GitHub Desktop.
Snort # LOCAL RULES
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ' $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp | |
# ' ---------------- | |
# ' LOCAL RULES | |
# ' ---------------- | |
# ' Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved. | |
# ' | |
# ' This file contains (i) proprietary rules that were created, tested and certified by | |
# ' Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT | |
# ' Certified Rules License Agreement (v 2.0), and (ii) rules that were created by | |
# ' Sourcefire and other third parties (the "GPL Rules") that are distributed under the | |
# ' GNU General Public License (GPL), v2. | |
# ' | |
# ' The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created | |
# ' by Sourcefire and other third parties. The GPL Rules created by Sourcefire are | |
# ' owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by | |
# ' their respective creators. Please see http://www.snort.org/snort/snort-team/ for a | |
# ' list of third party owners and their respective copyrights. | |
# ' | |
# ' In order to determine what rules are VRT Certified Rules or GPL Rules, please refer | |
# ' to the VRT Certified Rules License Agreement (v2.0). | |
# ' | |
# '------------- | |
# ' LOCAL RULES | |
# '------------- | |
#alert icmp any any -> any any (msg:"Pinging...";sid:1000004;) | |
alert tcp any any -> any 6667 (msg:"IRC protocol traffic";sid:1000005;) | |
alert tcp any 6667 -> any any (msg:"C&C Server sent netinfo command";content:"!netinfo";sid:1000006;) | |
alert tcp any 6667 -> any any (msg:"C&C Server sent sysinfo command";content:"!sysinfo";sid:1000007;) | |
alert tcp any 6667 -> any any (msg:"C&C Server sent port scan command";content:"!scan";sid:1000008;) | |
alert tcp any 6667 -> any any (msg:"C&C Server sent download command";content:"!download";sid:1000009;) | |
# [myrules] | |
#alert tcp any any <> $HOME_NET $HTTP_PORTS (msg: "Network TCP HTTP Traffic";sid:9370009;rev: 01) | |
#alert udp any any <> $HOME_NET $HTTP_PORTS (msg: "Network UDP HTTP Traffic";sid:9370010;rev: 01) | |
alert tcp any any <> $HOME_NET [21,22,23,25,443,465,636,992,993,995,2484] (msg: "Traffic [21,22,23,25,443,465,636,992,993,995,2484]";sid:9370019) | |
alert tcp any any <> any 80 (msg: "Network HTTP port 80 Traffic";sid:9370120;rev:2) | |
#The username and password are credentials for the API account: | |
#https://localhost:5443/api/v1/auth/account | |
# | |
alert tcp $HOME_NET 5443 <> $EXTERNAL_NET any (msg:"PostGree mysql ";sid:93789880;rev:01) | |
#[Microsoft SSDP -- UpnP Devices] | |
reject udp $HOME_NET 1900 <> $EXTERNAL_NET any (msg:"Microsoft SSDP UPnP devices" ;sid: 9370000; rev:05 ) | |
reject tcp $HOME_NET 5000 <> $EXTERNAL_NET any (msg:"Microsoft SSDP UPnP devices" ;sid: 9270001; rev:05 ) | |
#alert ip $HOME_NET 1900 -> $EXTERNAL_NET any (msg:"Microsoft SSDP Enables discovery of UPnP devices"; sid: 9270002;rev:1 ) | |
#[rev rules] | |
#alert ip any any -> any any (msg:" Protocol Network Traffic";sid:1270005; rev: 01) | |
#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"TCP NETWORK DATA "; classtype:web-application-activity; sid:498; rev:6;) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment