Written by #xxaxxelxx

suricata | selks | some basic alert rules

Test for domain (https):

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST TLS"; tls.sni; content:"nasa.gov"; nocase; pcre:"/nasa.gov$/"; sid:107500111; rev:7; metadata:created_at 2022_02_17, updated_at 2022_02_17;)

Test for domain (http):

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST HOST"; flow:established,to_server; http.method; content:"GET"; http.host; content:"axxel.net"; classtype:unknown; sid:107500113; rev:3; metadata: created_at 2022_02_18, updated_at 2022_02_18;)

Test for IP:

alert ip $HOME_NET any -> $THISIP any (msg:"TEST IP"; classtype:unknown; sid:107500115; rev:6; metadata: created_at 2022_02_18, updated_at 2022_02_18;)

Test for uri:

pass http $HOME_NET any -> $EXTERNAL_NET any (msg:"ALLOW MS FILESTREAMINGSERVICE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"filestreamingservice/files"; fast_pattern; depth:40; nocase; http.host; content:"microsoft.com"; classtype:unknown; sid:1075001012; rev:1; metadata: created_at 2022_02_18, updated_at 2022_02_18;)

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.