# suricata-update - modify.conf # Format: "" "" # Example changing the seconds for rule 2019401 to 3600. #2019401 "seconds \d+" "seconds 3600" # Change all trojan-activity rules to drop. Its better to setup a # drop.conf for this, but this does show the use of back references. #re:classtype:trojan-activity "(alert)(.*)" "drop" # For compatibility, most Oinkmaster modifysid lines should work as # well. #modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" ## Reject by classtype re:classtype:\s*attempted-user "alert(.*)" "reject\\1" # high Attempted User Privilege Gain re:classtype:\s*unsuccessful-user "alert(.*)" "reject\\1" # high Unsuccessful User Privilege Gain re:classtype:\s*successful-user "alert(.*)" "reject\\1" # high Successful User Privilege Gain re:classtype:\s*attempted-admin "alert(.*)" "reject\\1" # high Attempted Administrator Privilege Gain re:classtype:\s*successful-admin "alert(.*)" "reject\\1" # high Successful Administrator Privilege Gain re:classtype:\s*shellcode-detect "alert(.*)" "reject\\1" # high Executable code was detected #re:classtype:\s*trojan-activity "alert(.*)" "reject\\1" # high A Network Trojan was detected re:classtype:\s*web-application-attack "alert(.*)" "reject\\1" # high Web Application Attack #re:classtype:\s*kickass-porn "alert(.*)" "reject\\1" # high SCORE! Get the lotion! - WTF? JCA re:classtype:\s*policy-violation "alert(.*)" "reject\\1" # high Potential Corporate Privacy Violation re:classtype:\s*targeted-activity "alert(.*)" "reject\\1" # high Targeted Malicious Activity was Detected re:classtype:\s*exploit-kit "alert(.*)" "reject\\1" # high Exploit Kit Activity Detected re:classtype:\s*domain-c2 "alert(.*)" "reject\\1" # high Domain Observed Used for C2 Detected re:classtype:\s*credential-theft "alert(.*)" "reject\\1" # high Successful Credential Theft Detected re:classtype:\s*bad-unknown "alert(.*)" "reject\\1" # medium Potentially Bad Traffic re:classtype:\s*attempted-recon "alert(.*)" "reject\\1" # medium Attempted Information Leak re:classtype:\s*successful-recon-limited "alert(.*)" "reject\\1" # medium Information Leak re:classtype:\s*successful-recon-largescale "alert(.*)" "reject\\1" # medium Large Scale Information Leak re:classtype:\s*attempted-dos "alert(.*)" "drop\\1" # medium Attempted Denial of Service re:classtype:\s*successful-dos "alert(.*)" "drop\\1" # medium Denial of Service re:classtype:\s*denial-of-service "alert(.*)" "drop\\1" # medium Detection of a Denial of Service Attack re:classtype:\s*rpc-portmap-decode "alert(.*)" "reject\\1" # medium Decode of an RPC Query re:classtype:\s*suspicious-filename-detect "alert(.*)" "reject\\1" # medium A suspicious filename was detected re:classtype:\s*suspicious-login "alert(.*)" "reject\\1" # medium An attempted login using a suspicious username was detected re:classtype:\s*system-call-detect "alert(.*)" "reject\\1" # medium A system call was detected re:classtype:\s*unusual-client-port-connection "alert(.*)" "reject\\1" # medium A client was using an unusual port re:classtype:\s*non-standard-protocol "alert(.*)" "reject\\1" # medium Detection of a non-standard protocol or event re:classtype:\s*web-application-activity "alert(.*)" "reject\\1" # medium access to a potentially vulnerable web application re:classtype:\s*misc-attack "alert(.*)" "reject\\1" # medium Misc Attack re:classtype:\s*default-login-attempt "alert(.*)" "reject\\1" # medium Attempt to login by a default username and password #re:classtype:\s*external-ip-check "alert(.*)" "reject\\1" # medium Device Retrieving External IP Address Detected re:classtype:\s*pup-activity "alert(.*)" "reject\\1" # medium Possibly Unwanted Program Detected re:classtype:\s*social-engineering "alert(.*)" "reject\\1" # medium Possible Social Engineering Attempted re:classtype:\s*coin-mining "alert(.*)" "reject\\1" # medium Crypto Currency Mining Activity Detected #re:classtype:\s*not-suspicious "alert(.*)" "reject\\1" # low Not Suspicious Traffic #re:classtype:\s*unknown "alert(.*)" "reject\\1" # low Unknown Traffic #re:classtype:\s*string-detect "alert(.*)" "reject\\1" # low A suspicious string was detected re:classtype:\s*network-scan "alert(.*)" "reject\\1" # low Detection of a Network Scan #re:classtype:\s*protocol-command-decode "alert(.*)" "reject\\1" # low Generic Protocol Command Decode #re:classtype:\s*misc-activity "alert(.*)" "reject\\1" # low Misc activity #re:classtype:\s*icmp-event "alert(.*)" "reject\\1" # low Generic ICMP event #re:classtype:\s*tcp-connection "alert(.*)" "reject\\1" # vlow A TCP connection was detected ## Reject by rule id 2013926 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (POST) 2013927 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (HEAD) 2013928 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (PROPFIND) 2013931 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (DELETE) 2028380 "alert(.*)" "reject\\1" # ET JA3 Hash - Possible Malware - Neutrino # revert `noalert;` rules re:. "(drop|reject)(.*) noalert;" "alert\\2 noalert;"