Custom RulesΒΆ
Custom rules that are added to /home/plixer/flowpro/rules/custom.rules are considered by Suricata.
A rule consists of the following:
Action: Determines what happens when the rule matches.
Header: Defines the protocol, IP addresses, ports and direction of the rule.
Rule options: Defines the specifics of the rule.
The command suricata-update can be used to manage the running rule set if a custom source is available via HTTPS.
The custom Suricata rules file uses the following format (newline delimited):
Note
General rules are used in the following example for demonstration. In high-performance environments, rules should be as specific as possible.
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"This rule alerts on traffic from the internal network to the external network over 8080/tcp"; classtype:web-application-activity; sid:2000010;)
alert http 10.1.2.3 any -> any any (msg:"HTTP GET request to example.com detected from 10.1.2.3"; classtype:trojan-activity; flow:established,to_server; http.method; content:"GET"; http.host; content:"example.com"; nocase; sid:3000001; rev:1;)
alert tcp any any -> any 22 (msg:"SSH protocol version 2 detected"; flow:established,to_server; content:"SSH-2.0"; startswith; sid:3000002; rev:1;)
alert dns any any -> any 53 (msg:"DNS query for malicious-domain.com detected"; classtype:targeted-activity; dns.query; content:"malicious-domain.com"; nocase; sid:3000003; rev:1;)
alert http any any -> any any (msg:"Download of malicious.exe detected"; classtype:suspicious-filename-detect; flow:established,to_server; http.request_uri; content:"/malicious.exe"; endswith; sid:3000004; rev:1;)
alert tls any any -> any any (msg:"TLS 1.0 usage detected"; classtpye:non-standard-protocol; tls.version:"TLS 1.0"; sid:3000005; rev:1;)
#alert tcp any any -> any any (msg:"A commented out rule to temporarily disable"; classtype:example; sid:3000005; rev:1;)
The following are the minimum required fields for Plixer FlowPro events to be sent to Plixer Scrutinizer. The following class types will map to a specific policy in Scrutinizer:
EVENT CODE |
DESCRIPTION |
|---|---|
attempted-recon |
Attempted information leak |
successful-recon-limited |
Information leak |
successful-recon-largescale |
Large-scale information leak |
attempted-dos |
Attempted Denial of Service |
successful-dos |
Denial of Service |
attempted-user |
Attempted User Privilege Gain |
unsuccessful-user |
Unsuccessful User Privilege Gain |
successful-user |
Successful User Privilege Gain |
successful-admin |
Successful Administrator Privilege Gain |
rpc-portmap-decode |
Decode of an RPC Query |
shellcode-detect |
Executable code was detected |
suspicious-filename-detect |
A suspicious filename was detected |
suspicious-login |
An attempted login using a suspicious username |
system-call-detect |
A system call was detected |
trojan-activity |
A Network Trojan was detected |
unusual-client-port-connection |
A client was using an unusual port |
network-scan |
Detection of a Network Scan |
denial-of-service |
Detection of a Denial of Service Attack |
non-standard-protocol |
Detection of a non-standard protocol or event |
web-application-activity |
Access to a potentially vulnerable web app |
web-application-attack |
Web application attack |
default-login-attempt |
Attempt to login by a default username/password |
targeted-activity |
Targeted malicious activity was detected |
exploit-kit |
Exploit kit activity detected |
external-ip-check |
Device retrieving external IP Address detected |
domain-c2 |
Domain observed used for C2 detected |
pup-activity |
Possibly unwanted program detected |
credential-theft |
Successful credential theft detected |
social-engineering |
Possible social engineering attempted |
coin-mining |
Crypto currency mining activity detected |
command-and-control |
Malware command and control activity detected |