Created
November 27, 2017 16:53
-
-
Save mpurzynski/3d1c17b53ed0f46effde4de426d2385d to your computer and use it in GitHub Desktop.
Suricata rules for protocol anomalies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert tcp any any -> any !80 (msg:"SURICATA HTTP on unusual port"; flow:to_server; app-layer-protocol:http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271001; rev:1;) | |
alert tcp any any -> any 80 (msg:"SURICATA non-HTTP on TCP port 80"; flow:to_server; app-layer-protocol:!http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271002; rev:1;) | |
alert tcp any any -> any ![443,465,587] (msg:"SURICATA TLS on unusual port"; flow:to_server; app-layer-protocol:tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271004; rev:1;) | |
alert tcp any any -> any [443,465] (msg:"SURICATA non-TLS on TLS port"; flow:to_server; app-layer-protocol:!tls; threshold: type limit, track by_src, seconds 60, count 1; sid:2271003; rev:1;) | |
alert tcp any any -> any ![20,21] (msg:"SURICATA FTP on unusual TCP port"; flow:to_server; app-layer-protocol:ftp; threshold: type limit, track by_src, seconds 60, count 1; sid:2271005; rev:1;) | |
alert tcp any any -> any [20,21] (msg:"SURICATA non-FTP on TCP port 21"; flow:to_server; app-layer-protocol:!ftp; threshold: type limit, track by_src, seconds 60, count 1; sid:2271006; rev:1;) | |
alert tcp any any -> any !22 (msg:"SURICATA SSH on unusual port"; flow:to_server; app-layer-protocol:ssh; threshold: type limit, track by_src, seconds 60, count 1; sid:2271009; rev:1;) | |
alert tcp any any -> any 22 (msg:"SURICATA non-SSH on TCP port 22"; flow:to_server; app-layer-protocol:!ssh; threshold: type limit, track by_src, seconds 60, count 1; sid:2271010; rev:1;) | |
alert tcp any any -> any !143 (msg:"SURICATA IMAP on unusual port"; flow:to_server; app-layer-protocol:imap; threshold: type limit, track by_src, seconds 60, count 1; sid:2271011; rev:1;) | |
alert tcp any any -> any 143 (msg:"SURICATA non-IMAP on TCP port 143"; flow:to_server; app-layer-protocol:!imap; threshold: type limit, track by_src, seconds 60, count 1; sid:2271012; rev:1;) | |
alert tcp any any -> any 139 (msg:"SURICATA non-SMB on TCP port 139"; flow:to_server; app-layer-protocol:!smb; threshold: type limit, track by_src, seconds 60, count 1; sid:2271013; rev:1;) | |
alert tcp any any -> any [80,8080] (msg:"SURICATA DCERPC detected over port tcp 80,8080"; flow:to_server; app-layer-protocol:dcerpc; threshold: type limit, track by_src, seconds 60, count 1; sid:2271014; rev:1;) | |
alert tcp any any -> any !53 (msg:"SURICATA DNS-TCP on unusual port"; flow:to_server; app-layer-protocol:dns; threshold: type limit, track by_src, seconds 60, count 1; sid:2271015; rev:1;) | |
alert tcp any any -> any 53 (msg:"SURICATA non-DNS-TCP on TCP port 53"; flow:to_server; app-layer-protocol:!dns; threshold: type limit, track by_src, seconds 60, count 1; sid:2271016; rev:1;) | |
alert udp any any -> any !53 (msg:"SURICATA DNS-UDP on unusual port"; flow:to_server; app-layer-protocol:dns; threshold: type limit, track by_src, seconds 60, count 1; sid:2271017; rev:1;) | |
alert udp any any -> any 53 (msg:"SURICATA non-DNS-UDP on UDP port 53"; flow:to_server; app-layer-protocol:!dns; threshold: type limit, track by_src, seconds 60, count 1; sid:2271018; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment