-
Notifications
You must be signed in to change notification settings - Fork 0
/
local.rules
26 lines (20 loc) · 1.7 KB
/
local.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# TEST CASE ONE
# ---------------------
# Content-Matching Rules
alert tcp any any -> any any (msg:"Benign File Detected Using Content Matching (v1)"; content:"This is a benign file. There is nothing interesting here."; sid:1;)
alert tcp any any -> any any (msg:"Benign File Detected Using Hex Byte Sequence (v2)"; file_data, content:"|54 68 69 73 20 69 73 20 61 20 62 65 6e 69 67 6e 20 66 69 6c 65 2e 20 54 68 65 72 65 20 69 73 20 6e 6f 74 68 69 6e 67 20 69 6e 74 65 72 65 73 74 69 6e 67 20 68 65 72 65 2e|"; sid:2;)
# Port Activity Rules
alert tcp any any -> any any (msg:"Activity on Port 4444 (v1)"; sid:3;)
alert tcp any 4444 -> 127.0.0.1 any (msg:"Activity on Port 4444 (v2)"; sid:4;)
alert tcp 127.0.0.1 4444 -> any any (msg:"Activity on Port 4444 (v3)"; sid:5;)
alert tcp 127.0.0.1 any -> any 4444 (msg:"Activity on Port 4444 (v4)"; sid:6;)
# TEST CASE TWO
# ---------------------
alert tcp any any -> any any (msg:"Benign File Transfer Through Signature Based Detection (v1)"; sha256:"|INSERT SHA-256 HASH HERE|", length 64; sid:7;)
alert tcp 127.0.0.1 4444 > any any (msg:"Benign File Transfer Through Signature Based Detection (v2)"; sha256:"|INSERT SHA-256 HASH HERE|", length 64; sid:8;)
alert tcp any any > any any (msg:"Benign File Transfer Through Signature Based Detection (v3)"; sha256:"INSERT SHA-256 HASH HERE", length 64; std:9;)
# OTHER RULES
# ---------------------
alert icmp any any -> any any (msg:"ICMP Traffic Detected (v1)"; sid:10; metadata:policy securtty-ips alert;)
alert icmp any any -> 127.0.0.1 4444 (msg:"ICMP Traffic Detected (v2)"; sid:11; metadata:policy security-ips alert;)
alert icmp 127.0.0.1 4444 -> any any (msg:"ICMP Traffic Detected (v3)"; sid:12; metadata:policy security-ips alert;)