forked from simple-evcorr/rulesets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsnort.sec
163 lines (125 loc) · 5.33 KB
/
snort.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
####################################################################
# Sample SEC ruleset for Snort IDS
#
# Copyright (C) 2003-2009 Risto Vaarandi
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# ------------------------------------------------------------------
# Handle portscans
# ------------------------------------------------------------------
# For every completed portscan, add an entry to the PORTSCAN_REPORT;
# also generate a meta-event ACTIVITY_FROM for the IP
type=Single
ptype=RegExp
pattern=End of portscan from (([\d.]+).*)
desc=Portscan from $1
action=add PORTSCAN_REPORT %t: %s; event ACTIVITY_FROM_$2: %s
# ------------------------------------------------------------------
# Recognize snort alert message and generate corresponding SEC event
# ------------------------------------------------------------------
# recognize snort alert message; also generate
# a meta-event ACTIVITY_FROM for the IP
type=Single
ptype=RegExp
pattern=snort(?:\[\d+\])?: \[[0-9:]+\] (.+|!Malware|!MALWARE) \[(.+)\] \[.*Priority: (\d+)\]: \S+ ([\d.]+):?\d* -> ([\d.]+):?\d*
desc=PRIORITY $3 INCIDENT FROM $4 TO $5: $1 [$2]
action=event %s; event ACTIVITY_FROM_$4: $1
## Detect if it's an unwanted event in snort
#type=Single
#ptype=RegExp
#pattern=(MALWARE|Malware)
#desc=$0
#action=create UNWANTED_EVENT
# ------------------------------------------------------------------
# Handle priority 1 incidents
# ------------------------------------------------------------------
# Detect the beginning of priority 1 attack from a certain source IP,
# and send a warning e-mail message that a new attack has begun;
# also create a context for storing a detailed information about the attack
type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM ([\d.]+) TO [\d.]+:
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 attack started from $1
action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s' \
/usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1' alerts@example.com
# For every priority 1 incident, add an entry to the context by its IP;
# if the IP has been quiet for 5 minutes, report the whole attack
type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM ([\d.]+) TO ([\d.]+): (.+)
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 incident from $1 to $2: $3
action=add ATTACK_FROM_$1 %t: %s; \
set ATTACK_FROM_$1 300 ( report ATTACK_FROM_$1 \
/usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts@example.com )
# ------------------------------------------------------------------
# Handle incidents by thresholding
# ------------------------------------------------------------------
# Count how many _certain type_ of incidents are coming from one source
# if the threshold has been crossed, reset the counting operation started
# by the next rule, in order to avoid duplicate alerts for the same IP
type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY (\d+) INCIDENT FROM ([\d.]+) TO [\d.]+: (.+)
continue=TakeNext
desc=Snort has seen >= 30 priority $1 incidents from $2: $3
action=add ALERT_REPORT %t: %s; \
reset +1 Snort has seen >= 150 incidents from $2; \
create TURNOFF_$2 3600
thresh=30
window=3600
# Count how many incidents come from one source
type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY \d+ INCIDENT FROM ([\d.]+) TO [\d.]+:
context=!TURNOFF_$1
desc=Snort has seen >= 150 incidents from $1
action=add ALERT_REPORT %t: %s
thresh=150
window=7200
# ------------------------------------------------------------------
# Report IPs that have been active for some time
# ------------------------------------------------------------------
# Set up activity contexts for the IP; if the IP has been active for 2 hours,
# and there have been no gaps longer than 30 minutes, report its activities
type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_([\d.]+):
context=!ACTIVITY_LIST_FOR_$1
continue=TakeNext
desc=Create activity contexts for $1
action=create ACTIVITY_LIST_FOR_$1_LIFETIME; \
create ACTIVITY_LIST_FOR_$1 7200 ( report ACTIVITY_LIST_FOR_$1 \
/usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts@example.com; \
delete ACTIVITY_LIST_FOR_$1_LIFETIME )
# Add the activity event to the context of a given IP, and extend
# the lifetime of activity contexts for 30 minutes for the IP
type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_([\d.]+): (.*)
context=ACTIVITY_LIST_FOR_$1
desc=Activity from $1: $2
action=add ACTIVITY_LIST_FOR_$1 %t: %s; \
set ACTIVITY_LIST_FOR_$1_LIFETIME 1800 ( delete ACTIVITY_LIST_FOR_$1 )
# ------------------------------------------------------------------
# Send reports every day at 9:00 am
# ------------------------------------------------------------------
# send daily report about regular alerts
type=Calendar
time=0 12 * * *
desc=Sending alert report...
action=report ALERT_REPORT \
/usr/bin/mail -s 'SNORT: Hourly alert report' alerts@example.com; \
delete ALERT_REPORT
# send daily report about portscans
type=Calendar
time=0 9 * * *
desc=Sending portscan report...
action=report PORTSCAN_REPORT \
/usr/bin/mail -s 'SNORT: daily portscan report' alerts@example.com; \
delete PORTSCAN_REPORT