|
# suricata-update - modify.conf
|
|
|
|
# Format: <sid> "<from>" "<to>"
|
|
|
|
# Example changing the seconds for rule 2019401 to 3600.
|
|
#2019401 "seconds \d+" "seconds 3600"
|
|
|
|
# Change all trojan-activity rules to drop. Its better to setup a
|
|
# drop.conf for this, but this does show the use of back references.
|
|
#re:classtype:trojan-activity "(alert)(.*)" "drop"
|
|
|
|
# For compatibility, most Oinkmaster modifysid lines should work as
|
|
# well.
|
|
#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
|
|
|
|
## Reject by classtype
|
|
re:classtype:\s*attempted-user "alert(.*)" "reject\\1" # high Attempted User Privilege Gain
|
|
re:classtype:\s*unsuccessful-user "alert(.*)" "reject\\1" # high Unsuccessful User Privilege Gain
|
|
re:classtype:\s*successful-user "alert(.*)" "reject\\1" # high Successful User Privilege Gain
|
|
re:classtype:\s*attempted-admin "alert(.*)" "reject\\1" # high Attempted Administrator Privilege Gain
|
|
re:classtype:\s*successful-admin "alert(.*)" "reject\\1" # high Successful Administrator Privilege Gain
|
|
re:classtype:\s*shellcode-detect "alert(.*)" "reject\\1" # high Executable code was detected
|
|
#re:classtype:\s*trojan-activity "alert(.*)" "reject\\1" # high A Network Trojan was detected
|
|
re:classtype:\s*web-application-attack "alert(.*)" "reject\\1" # high Web Application Attack
|
|
#re:classtype:\s*kickass-porn "alert(.*)" "reject\\1" # high SCORE! Get the lotion! - WTF? JCA
|
|
re:classtype:\s*policy-violation "alert(.*)" "reject\\1" # high Potential Corporate Privacy Violation
|
|
re:classtype:\s*targeted-activity "alert(.*)" "reject\\1" # high Targeted Malicious Activity was Detected
|
|
re:classtype:\s*exploit-kit "alert(.*)" "reject\\1" # high Exploit Kit Activity Detected
|
|
re:classtype:\s*domain-c2 "alert(.*)" "reject\\1" # high Domain Observed Used for C2 Detected
|
|
re:classtype:\s*credential-theft "alert(.*)" "reject\\1" # high Successful Credential Theft Detected
|
|
re:classtype:\s*bad-unknown "alert(.*)" "reject\\1" # medium Potentially Bad Traffic
|
|
re:classtype:\s*attempted-recon "alert(.*)" "reject\\1" # medium Attempted Information Leak
|
|
re:classtype:\s*successful-recon-limited "alert(.*)" "reject\\1" # medium Information Leak
|
|
re:classtype:\s*successful-recon-largescale "alert(.*)" "reject\\1" # medium Large Scale Information Leak
|
|
re:classtype:\s*attempted-dos "alert(.*)" "drop\\1" # medium Attempted Denial of Service
|
|
re:classtype:\s*successful-dos "alert(.*)" "drop\\1" # medium Denial of Service
|
|
re:classtype:\s*denial-of-service "alert(.*)" "drop\\1" # medium Detection of a Denial of Service Attack
|
|
re:classtype:\s*rpc-portmap-decode "alert(.*)" "reject\\1" # medium Decode of an RPC Query
|
|
re:classtype:\s*suspicious-filename-detect "alert(.*)" "reject\\1" # medium A suspicious filename was detected
|
|
re:classtype:\s*suspicious-login "alert(.*)" "reject\\1" # medium An attempted login using a suspicious username was detected
|
|
re:classtype:\s*system-call-detect "alert(.*)" "reject\\1" # medium A system call was detected
|
|
re:classtype:\s*unusual-client-port-connection "alert(.*)" "reject\\1" # medium A client was using an unusual port
|
|
re:classtype:\s*non-standard-protocol "alert(.*)" "reject\\1" # medium Detection of a non-standard protocol or event
|
|
re:classtype:\s*web-application-activity "alert(.*)" "reject\\1" # medium access to a potentially vulnerable web application
|
|
re:classtype:\s*misc-attack "alert(.*)" "reject\\1" # medium Misc Attack
|
|
re:classtype:\s*default-login-attempt "alert(.*)" "reject\\1" # medium Attempt to login by a default username and password
|
|
#re:classtype:\s*external-ip-check "alert(.*)" "reject\\1" # medium Device Retrieving External IP Address Detected
|
|
re:classtype:\s*pup-activity "alert(.*)" "reject\\1" # medium Possibly Unwanted Program Detected
|
|
re:classtype:\s*social-engineering "alert(.*)" "reject\\1" # medium Possible Social Engineering Attempted
|
|
re:classtype:\s*coin-mining "alert(.*)" "reject\\1" # medium Crypto Currency Mining Activity Detected
|
|
#re:classtype:\s*not-suspicious "alert(.*)" "reject\\1" # low Not Suspicious Traffic
|
|
#re:classtype:\s*unknown "alert(.*)" "reject\\1" # low Unknown Traffic
|
|
#re:classtype:\s*string-detect "alert(.*)" "reject\\1" # low A suspicious string was detected
|
|
re:classtype:\s*network-scan "alert(.*)" "reject\\1" # low Detection of a Network Scan
|
|
#re:classtype:\s*protocol-command-decode "alert(.*)" "reject\\1" # low Generic Protocol Command Decode
|
|
#re:classtype:\s*misc-activity "alert(.*)" "reject\\1" # low Misc activity
|
|
#re:classtype:\s*icmp-event "alert(.*)" "reject\\1" # low Generic ICMP event
|
|
#re:classtype:\s*tcp-connection "alert(.*)" "reject\\1" # vlow A TCP connection was detected
|
|
|
|
|
|
## Reject by rule id
|
|
2013926 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (POST)
|
|
2013927 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (HEAD)
|
|
2013928 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (PROPFIND)
|
|
2013931 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (DELETE)
|
|
|
|
2028380 "alert(.*)" "reject\\1" # ET JA3 Hash - Possible Malware - Neutrino
|
|
|
|
# revert `noalert;` rules
|
|
re:. "(drop|reject)(.*) noalert;" "alert\\2 noalert;"
|
|
|