Suricata Rules

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules

https://suricata.readthedocs.io/en/suricata-4.1.4/rules/index.html

Suricata Rules

Introduction

Signatures play a very important role in Suricata. In most occasions people are using existing rulesets. The most used are Emerging ThreatsEmerging Threats Pro and source fire's VRT. A way to install rules is described in Rule Management with Oinkmaster.
This Suricata Rules document explains all about signatures; how to read-, adjust-and create them.

A rule/signature consists of the following:
The action, header and rule-options.

Example of a signature:

Action

For more information read 'Action Order' in the suricata.yaml wiki.

Example:

In this example the red, bold-faced part is the action.

Protocol

This keyword in a signature tells Suricata which protocol it concerns. You can choose between four settings. tcp (for tcp-traffic), udp, icmp and ip. ip stands for 'all' or 'any'.
Suricata adds a few protocols : http, ftp, tls (this includes ssl), smb and dns (from v2.0). These are the so-called application layer protocols or layer 7 protocols.
If you have a signature with for instance a http-protocol, Suricata makes sure the signature can only match if it concerns http-traffic.

Example:

In this example the red, bold-faced part is the protocol.

Source and destination

In source you can assign IP-addresses; IPv4 and IPv6 combined as well as separated. You can also set variables such as HOME_NET. (For more information see 'Rule-vars' at Suricata.yaml in the user guide.) 
In the Yaml-file you can set IP-addresses for variables such as EXTERNAL_NET and HOME_NET. These settings will be used when you use these variables in a rule.
In source and destination you can make use of signs like ! And [ ].

For example:

! 1.1.1.1                       (Every IP address but 1.1.1.1)

![1.1.1.1, 1.1.1.2]             (Every IP address but 1.1.1.1 and 1.1.1.2)

$HOME_NET                       (Your setting of HOME_NET in yaml)

[$EXTERNAL_NET, !$HOME_NET]     (EXTERNAL_NET and not HOME_NET)

[10.0.0.0/24, !10.0.0.5]        (10.0.0.0/24 except for 10.0.0.5)

[…..,[....]]

[…. ,![.....]]

Pay attention to the following:

If your settings in Yaml are:

HOME_NET: any 
EXTERNAL_NET: ! $HOME_NET
You can not write a signature using EXTERNAL_NET because it stands for 'not any'. This is a invalid setting.

Example of source and destination in a signature:

The red, bold-faced part is the source.

The red, bold-faced part is the destination.

Ports (source-and destination-port)

Traffic comes in and goes out through ports. Different ports have different port-numbers. The HTTP-port for example is 80 while 443 is the port for HTTPS and MSN makes use of port 1863. Commonly the Source port will be set as 'any'. This will be influenced by the protocol. The source port is designated at random by the operating system. Sometimes it is possible to filter/screen on the source 
In setting ports you can make use of special signs as well, like described above at 'source'. Signs like:

!       exception/negation

:       range

[]      signs to make clear which parts belong together

,       separation

Example:

[80, 81, 82]    (port 80, 81 and 82)

[80: 82]        (Range from 80 till 82)

[1024: ]        (From 1024 till the highest port-number)

!80             (Every port but 80)

[80:100,!99]    (Range from 80 till 100 but 99 excluded)

[1:80,![2,4]]

[….[.....]]

Example of ports in a signature:

In this example, the red, bold-faced part is the port.

Direction

The direction tells in which way the signature has to match. Nearly every signature has an arrow to the right. This means that only packets with the same direction can match.

source -> destination

source <> destination  (both directions)

Example:

alert tcp 1.2.3.4 1024 - > 5.6.7.8 80

Example 1 tcp-session

In this example there will only be a match if the signature has the same order/direction as the payload.

Example of direction in a signature:

In this example the red, bold-faced part is the direction.

Rule options

Keywords have a set format:

name: settings;

Sometimes it is just the name of the setting followed by ; . Like nocase;

There are specific settings for:

  • meta-information.
  • headers
  • payloads
  • flows

For more information about these settings, you can click on the following headlines:

Meta-settings

Payload keywords

HTTP-keywords

DNS-keywords

Flow-keywords

IP Reputation keyword

============== End

Suricata Rules的更多相关文章

  1. 构建基于Suricata+Splunk的IDS入侵检测系统

    一.什么是IDS和IPS? IDS(Intrusion Detection Systems):入侵检测系统,是一种网络安全设备或应用软件,可以依照一定的安全策略,对网络.系统的运行状况进行监视,尽可能 ...

  2. [DPI][suricata] suricata-4.0.3 安装部署

    suricata 很值得借鉴.但是首先还是要安装使用,作为第一步的熟悉. 安装文档:https://redmine.openinfosecfoundation.org/projects/suricat ...

  3. suricata 原文记录

    如何在 Linux 系统上安装 Suricata 入侵检测系统 编译自:http://xmodulo.com/install-suricata-intrusion-detection-system-l ...

  4. Suricata产生的数据存储目录

    不多说,直接上干货! 我这里呢,分两种常用的Suricata. 一.源码编译安装的Suricata 这里不多说,大家可以去看我下面写的博客 使用 Suricata 进行入侵监控(一个简单小例子访问百度 ...

  5. Suricata的规则解读(默认和自定义)

    不多说,直接上干货! 见suricata官网 https://suricata.readthedocs.io/en/latest/rules/index.html 一.Suricata的规则所放位置 ...

  6. 使用 Suricata 进行入侵监控(一个简单小例子访问百度)

    前期博客 基于CentOS6.5下Suricata(一款高性能的网络IDS.IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐) 1.自己编写一条规则,规则书写参考snort规则(suricata ...

  7. suricata.yaml (一款高性能的网络IDS、IPS和网络安全监控引擎)默认配置文件(图文详解)

    不多说,直接上干货! 前期博客 基于CentOS6.5下Suricata(一款高性能的网络IDS.IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐) 或者 基于Ubuntu14.04下Suric ...

  8. 基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)

    不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...

  9. Stamus Networks的产品SELKS(Suricata IDPS、Elasticsearch 、Logstash 、Kibana 和 Scirius )的下载和安装(带桌面版和不带桌面版)(图文详解)

    不多说,直接上干货!  SELKS是什么? SELKS 是Stamus Networks的产品,它是基于Debian的自启动运行发行,面向网络安全管理.它基于自己的图形规则管理器提供一套完整的.易于使 ...

随机推荐

  1. PPT插件(islide)

    https://www.islide.cc/features iSlide 主要功能模块   一键优化 将PPT中不规则的字体,段落,色彩,参考线布局,风格样式等一键化全局统一设置,构建专业和规范. ...

  2. 查看Oracle中是否有锁表

    转: 查看Oracle中是否有锁表 2018-04-23 17:59 alapha 阅读(19450) 评论(0) 编辑 收藏 一.用dba用户登录,或者将用户赋权为DBA用户 命令: su - or ...

  3. Oracle索引 详解

    作者:Dave 一.索引介绍 1.1 索引的创建语法: CREATE UNIUQE | BITMAP INDEX <schema>.<index_name> ON <sc ...

  4. WinForm,在另一个线程中更新Form中的数据(转)

    Form本身有线程,但对于一些耗时的操作,我们不希望在Form的线程中进行,因为会导致Form线程阻塞,产生假死的现象. 其他线程中操作Form中的控件,总出现“线程间操作无效: 从不是创建控件的线程 ...

  5. Python使用numpy实现BP神经网络

    Python使用numpy实现BP神经网络 本文完全利用numpy实现一个简单的BP神经网络,由于是做regression而不是classification,因此在这里输出层选取的激励函数就是f(x) ...

  6. delphi十六进制字符串hex转byte数组互相转换bmp图片

    procedure Hex2Png(str: string; out png: TPngObject); var stream: TMemoryStream; begin if not Assigne ...

  7. Swift4.0复习结构体

    1.基本语法: /** 定义了一个结构体 */ struct Structure {   /// 一个常量存储式实例属性, /// 并直接为它初始化 let constProperty =   /// ...

  8. Java使用Jsoup获得新闻联播所有文字稿

    Jsoup的maven坐标: <!-- https://mvnrepository.com/artifact/org.jsoup/jsoup --> <dependency> ...

  9. 【JS新手教程】JS获取当前星期几的几种方法

    该文通过获取星期几的几种方法,介绍JS里的数组,判断,和字符串截取,可以当作新手教程看,小白也看的懂.获取星期几,可通过Date()对象的getDay()获取,获取的是一个数字,对应的是0,1,2,3 ...

  10. JSON Hijacking漏洞

    https://github.com/SkyLined/LocalNetworkScanner JS.利用浏览器漏洞当对方打开网址时,扫描对方内网信息 https://www.freebuf.com/ ...