zoukankan      html  css  js  c++  java

  • Suricata策略记录

    Suricata策略记录
IDS策略添加计划,封锁异常连接端口
参考:https://forum.pfsense.org/index.php?topic=78062.465

drop tcp $EXTERNAL_NET any -> $HOME_NET [0:24] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900004; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [26:442] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900005; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [444:464] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900006; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [466:992] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900007; rev:1;)

drop tcp $EXTERNAL_NET any -> $HOME_NET [994:1023] (msg:"Golden Rule NO SERVER TCP"; classtype:network-scan; sid:9900008; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [3389] (msg:"Admin Rule NO SERVER RDP TCP"; classtype:network-scan; sid:990050; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5500] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990052; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5800] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990053; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5900] (msg:"Admin Rule NO SERVER VNC TCP"; classtype:network-scan; sid:990054; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [4899] (msg:"Admin Rule NO SERVER RADMIN TCP"; classtype:network-scan; sid:990055; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [1433] (msg:"Admin Rule NO SERVER MSSQL TCP"; classtype:network-scan; sid:990057; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5060] (msg:"Admin Rule NO SERVER SIP TCP"; classtype:network-scan; sid:990059; rev:1;)

drop udp $EXTERNAL_NET [1024:65535] -> $HOME_NET [5060] (msg:"Admin Rule NO SERVER SIP UDP"; classtype:attempted-recon; sid:9900060; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [8172] (msg:"Admin Rule NO SERVER IIS TCP"; classtype:network-scan; sid:990061; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [31337] (msg:"Admin Rule NO SERVER Back Orifice TCP"; classtype:network-scan; sid:990063; rev:1;)

drop tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET [47001] (msg:"Admin Rule NO SERVER WinRM TCP"; classtype:network-scan; sid:990064; rev:1;)

# Authors: Jayden Zheng (@fuseyjz) and Wei-Chea Ang (@77_6A)

# Company: Countercept

# Website: https://countercept.com

# Twitter: @countercept

alert tcp any any -> $HOME_NET 445 (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand Request"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|0E 00|"; distance:56; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618009; classtype:attempted-user; rev:1;)

alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 81 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|51 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618008; classtype:attempted-user; rev:1;)

alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 82 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|52 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618010; classtype:attempted-user; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Match on :

example.com"; content:"GET"; http_method; content:"example.com";

http_host; depth: 11; isdataat:!1,relative;

classtype:policy-violation; sid:666; rev:1;)

alert tcp any any -> 192.168.8.126 465 (msg:"SURICATA Port 465 TLS Traffic 2"; flow:to_server; sid:2271003; rev:1;)
    迷茫的人生,需要不断努力,才能看清远方模糊的志向!
  • 相关阅读:
    java多线程详解(7)-线程池的使用
    mysql学习(4)-mysqldump备份和恢复数据
    mysql学习(3)-linux下mysql主从复制
    java多线程详解(5)-Threadlocal用法
    java多线程详解(4)-多线程同步技术与lock
    java多线程详解(3)-线程的互斥与同步
    iava多线程详解(2)-成员变量与局部变量访问
    java多线程详解(1)-多线程入门
    redis 的消息发布订阅
    redis 数据类型
  • 原文地址:https://www.cnblogs.com/autopwn/p/15701664.html
Copyright © 2011-2022 走看看