-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest.rules
29 lines (29 loc) · 4.29 KB
/
test.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
alert http any any -> any any (msg:"SQL Injection Attempt in URI"; uri_raw; content:"'"; pcre:"/[?&;](?:[^=]+|=)'(?:[&;]|$)/U"; sid:1000001;)
alert http any any -> any any (msg:"SQL Injection Attempt in HTTP Request Body"; content:"'"; http_client_body; pcre:"/'(?:[?&;]|$)/U"; sid:1000002;)
alert http any any -> any any (msg:"SQL Injection Attempt in HTTP Headers"; content:"'"; http_header; pcre:"/'(?:[?&;]|$)/U"; sid:1000003;)
alert mysql any any -> any any (msg:"SQL Injection Attempt in MySQL Traffic"; content:"'"; depth:1; pcre:"/'(?:[^\\]|\\')*(?:[?&;]|$)/U"; sid:1000004;)
alert postgresql any any -> any any (msg:"SQL Injection Attempt in PostgreSQL Traffic"; content:"'"; depth:1; pcre:"/'(?:[^\\]|\\')*(?:[?&;]|$)/U"; sid:1000005;)
alert oracle any any -> any any (msg:"SQL Injection Attempt in Oracle Traffic"; content:"'"; depth:1; pcre:"/'(?:[^\\]|\\')*(?:[?&;]|$)/U"; sid:1000006;)
alert mssql any any -> any any (msg:"SQL Injection Attempt in SQL Server Traffic"; content:"'"; depth:1; pcre:"/'(?:[^\\]|\\')*(?:[?&;]|$)/U"; sid:1000007;)
alert http any any -> any any (msg:"XSS Attempt in URI"; uri_raw; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000001;)
alert http any any -> any any (msg:"XSS Attempt in HTTP Request Body"; http_client_body; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000002;)
alert http any any -> any any (msg:"XSS Attempt in HTTP Headers"; http_header; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000003;)
alert http any any -> any any (msg:"XSS Attempt in HTML Content-Type"; content:"text/html"; http_header_content_type; http_header; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000004;)
alert http any any -> any any (msg:"XSS Attempt in JavaScript Content-Type"; content:"application/javascript"; http_header_content_type; http_header; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000005;)
alert http any any -> any any (msg:"XSS Attempt in XML Content-Type"; content:"application/xml"; http_header_content_type; http_header; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000006;)
alert http any any -> any any (msg:"XSS Attempt in JSON Content-Type"; content:"application/json"; http_header_content_type; http_header; pcre:"/(<|%3C)(script|%73%63%72%69%70%74)/i"; sid:1000007;)
alert http any any -> any any (msg:"Buffer Overflow Attempt in URI"; uri_raw; content:"|41 41 41 41|"; sid:1000001;)
alert http any any -> any any (msg:"Buffer Overflow Attempt in HTTP Request Body"; content:"|41 41 41 41|"; http_client_body; sid:1000002;)
alert http any any -> any any (msg:"Buffer Overflow Attempt in HTTP Headers"; content:"|41 41 41 41|"; http_header; sid:1000003;)
alert ftp any any -> any any (msg:"Buffer Overflow Attempt in FTP Traffic"; content:"|41 41 41 41|"; sid:1000004;)
alert telnet any any -> any any (msg:"Buffer Overflow Attempt in Telnet Traffic"; content:"|41 41 41 41|"; sid:1000005;)
alert dns any any -> any any (msg:"Buffer Overflow Attempt in DNS Traffic"; content:"|41 41 41 41|"; sid:1000007;)
alert ssh any any -> any any (msg:"Buffer Overflow Attempt in SSH Traffic"; content:"|41 41 41 41|"; sid:1000006;)
alert dns any any -> any any (msg:"Buffer Overflow Attempt in DNS Traffic"; content:"|41 41 41 41|"; sid:1000007;)
alert smtp any any -> any any (msg:"SMTP Command Injection Attempt"; content:"%0a"; content:"RCPT TO:"; pcre:"/RCPT\sTO:\s[^[:space:]]+@\S*[%@!#\|\/\$\&\*\(\)\[\]\{\}<>~:\s]/i"; sid:1000001;)
alert smtp any any -> any any (msg:"Suspicious Attachment in SMTP Traffic"; content:"Content-Type: application/octet-stream"; sid:1000002;)
alert smtp any any -> any any (msg:"SMTP HELO Command with Suspicious Domain"; content:"HELO"; pcre:"/HELO\s+[a-z0-9.-]+\.cn\s+/i"; sid:1000003;)
alert smtp any any -> any any (msg:"Suspicious SMTP Subject Line"; content:"Subject:"; pcre:"/Subject:\s+.{20,}/"; sid:1000004;)
alert smtp any any -> any any (msg:"SMTP Command Injection Attempt in MAIL FROM"; content:"MAIL FROM:"; pcre:"/MAIL\s+FROM:\s+\S*[%@!#\|\/\$\&\*\(\)\[\]\{\}<>~:\s]/i"; sid:1000005;)
alert smtp any any -> any any (msg:"SMTP Command Injection Attempt in DATA"; content:"DATA"; pcre:"/DATA\s+[^\r\n]*[%@!#\|\/\$\&\*\(\)\[\]\{\}<>~:\s]/i"; sid:1000006;)
alert smtp 192.98.25.54-192.99.0.0 45 -> 192.98.25.54-192.99.0.0 45 (msg:"SMTP Command Injection Attempt in DATA"; content:"DATA"; pcre:"/DATA\s+[^\r\n]*[%@!#\|\/\$\&\*\(\)\[\]\{\}<>~:\s]/i"; sid:1000007;)