Suricata策略记录

Suricata策略记录
IDS策略添加计划，封锁异常连接端口
参考：https://forum.pfsense.org/index.php?topic=78062.465

drop tcp $EXTERNAL_NET any -> $HOME_NET [0:24] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900004; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [26:442] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900005; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [444:464] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900006; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [466:992] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900007; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [994:1023] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900008; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [3389] (msg:"Admin Rule NO SERVER RDP TCP"; classtype:network-scan; sid:990050; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5500] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990052; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5800] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990053; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5900] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990054; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [4899] (msg:"Admin Rule NO SERVER RADMIN TCP"; classtype:network-scan; sid:990055; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [1433] (msg:"Admin Rule NO SERVER MSSQL TCP"; classtype:network-scan; sid:990057; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5060] (msg:"Admin Rule NO SERVER SIP TCP"; classtype:network-scan; sid:990059; rev:1;)

drop udp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5060] (msg:"Admin Rule NO SERVER SIP UDP"; classtype:attempted-recon; sid:9900060; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [8172] (msg:"Admin Rule NO SERVER IIS TCP"; classtype:network-scan; sid:990061; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [31337] (msg:"Admin Rule NO SERVER Back Orifice TCP"; classtype:network-scan; sid:990063; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [47001] (msg:"Admin Rule NO SERVER WinRM TCP"; classtype:network-scan; sid:990064; rev:1;)

# Authors: Jayden Zheng (@fuseyjz) and Wei-Chea Ang (@77_6A)

# Company: Countercept

# Website: https://countercept.com

# Twitter: @countercept

alert tcp any any -> $HOME_NET 445 (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand Request"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|0E 00|"; distance:56; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618009; classtype:attempted-user; rev:1;)

alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 81 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|51 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618008; classtype:attempted-user; rev:1;)

alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 82 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|52 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618010; classtype:attempted-user; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Match on :

example.com"; content:"GET"; http_method; content:"example.com";

http_host; depth: 11; isdataat:!1,relative;

classtype:policy-violation; sid:666; rev:1;)

alert tcp any any -> 192.168.8.126 465 (msg:"SURICATA Port 465 TLS Traffic 2"; flow:to_server; sid:2271003; rev:1;)