-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal.rules
27 lines (26 loc) · 1.63 KB
/
local.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures. Put your local
# additions here.
#
# P4.1 Land Attack
alert tcp 10.0.0.10 80 -> 10.0.0.10 80 (msg:"Land Attack detected!!";flags:S;sid:100000001;rev:0;)
# P4.2 Flood Attack
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SYN Flood Attack detected!!";flags:S;threshold: type threshold, track by_dst, count 20, seconds 60;sid:10000002;rev:0;)
# P4.3 Smurf Attack
alert icmp 192.168.0.0/24 any -> $HOME_NET any (msg:"Smurf Attack detected!!";itype:0;sid:10000003;rev:0;)
# P4.4 UDP Attack
alert udp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"UDP Flood Attack detected!!";threshold: type threshold, track by_dst, count 10, seconds 60; sid:1000004; rev:0;)
# P4.5 Attack Scans
# TCP ACK
alert tcp $EXTERNAL_NET any -> 10.0.0.10 any (msg:"TCP ACK scan!";flags:A;threshold: type threshold, track by_dst, count 20, seconds 60; sid:100000031;rev:0;)
# TCP FIN
alert tcp $EXTERNAL_NET any -> 10.0.0.10 any (msg:"TCP FIN scan!";flags:F;threshold: type threshold, track by_dst, count 20, seconds 60; sid:100000032;rev:0;)
# TCP X-Mas
alert tcp $EXTERNAL_NET any -> 10.0.0.10 any (msg:"TCP XMas scan!";flags:FPU;threshold: type threshold, track by_dst, count 20, seconds 60; sid:100000033;rev:0;)
# TCP Null
alert tcp $EXTERNAL_NET any -> 10.0.0.10 any (msg:"TCP Null scan!";flags:0;threshold: type threshold, track by_dst, count 20, seconds 60; sid:100000034;rev:0;)
# UDP
alert udp $EXTERNAL_NET any -> 10.0.0.10 any (msg:"UDP scan!";threshold: type threshold, track by_dst, count 20, seconds 60; sid:100000035;rev:0;)