ridzimeko revisó este gist . Ir a la revisión
1 file changed, 4 insertions
xss.rules(archivo creado)
| @@ -0,0 +1,4 @@ | |||
| 1 | + | alert tcp any any -> any any ( msg:"XSS Attempt Detected — injected closing tag"; flow:to_server,established; content:"\"><script"; nocase; http_client_body; classtype:web-application-attack; severity:2; sid:500003; rev:1; ) | |
| 2 | + | alert tcp any any -> any any ( msg:"XSS Attempt Detected — event handler onerror/onload"; flow:to_server,established; content:"onerror="; nocase; http_client_body; classtype:web-application-attack; severity:2; sid:500002; rev:1; ) | |
| 3 | + | alert tcp any any -> any any ( msg:"XSS Attempt Detected — script tag"; flow:to_server,established; content:"<script"; nocase; http_client_body; classtype:web-application-attack; severity:2; sid:500001; rev:1; ) | |
| 4 | + | alert tcp any any -> any any (msg:"[WARNING] Percobaan XSS Terdeteksi: Injeksi <script>"; priority:2; content:"%3Cscript%3E"; nocase; classtype:web-application-attack; sid:1000012; rev:7;) | |
ridzimeko revisó este gist . Ir a la revisión
1 file changed, 32 insertions
gistfile1.txt(archivo creado)
| @@ -0,0 +1,32 @@ | |||
| 1 | + | #alert tcp any any -> $HOME_NET any ( msg:"POTENSI DDoS SYN Flood"; flags:S; flow:stateless; threshold:type both, track by_dst, count 1000, seconds 10; classtype:attempted-dos; priority:2; sid:2000012; rev:1; ) | |
| 2 | + | alert arp any any -> any any ( msg:"POTENSI ARP Spoofing - ARP Reply mencurigakan"; arp_opcode:2; # opcode 2 = ARP reply detection_filter:track by_src, count 5, seconds 10; classtype:network-scan; priority:2; sid:2000013; rev:1; ) | |
| 3 | + | alert tcp !$HOME_NET any -> $HOME_NET any (flags: A; msg:"Possible ACK DoS"; flow: stateless; threshold: type both, track by_dst, count 1000, seconds 3; classtype:attempted-dos; sid:10001;rev:1;) | |
| 4 | + | alert tcp !$HOME_NET any -> $HOME_NET any (flags: R; msg:"Possible RST DoS"; flow: stateless; threshold: type both, track by_dst, count 1000, seconds 3; classtype:attempted-dos; sid:10003;rev:1;) | |
| 5 | + | alert tcp !$HOME_NET any -> $HOME_NET any (flags: F; msg:"Possible FIN DoS"; flow: stateless; threshold: type both, track by_dst, count 1000, seconds 3; classtype:attempted-dos; sid:10004;rev:1;) | |
| 6 | + | alert udp !$HOME_NET any -> $HOME_NET any (msg:"Possible UDP DoS"; flow: stateless; threshold: type both, track by_dst, count 1000, seconds 3; classtype:attempted-dos; sid:10005;rev:1;) | |
| 7 | + | ||
| 8 | + | # SYN SCAN -sS (speeds T1-T5) | |
| 9 | + | ||
| 10 | + | alert tcp any any -> any [21,22,23,25,53,80,88,110,135,137,138,139,143,161,389,443,445,465,514,587,636,853,993,995,1194,1433,1720,3306,3389,8080,8443,11211,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sS)"; flow:to_server,stateless; flags:S; window:1024; tcp.mss:1460; threshold:type threshold, track by_src, count 20, seconds 70; classtype:attempted-recon; sid:3400001; priority:2; rev:1;) | |
| 11 | + | alert tcp any any -> any ![21,22,23,25,53,80,88,110,135,137,138,139,143,161,389,443,445,465,514,587,636,853,993,995,1194,1433,1720,3306,3389,8080,8443,11211,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sS)"; flow:to_server,stateless; flags:S; window:1024; tcp.mss:1460; threshold:type threshold, track by_src, count 7, seconds 135; classtype:attempted-recon; sid:3400002; priority:2; rev:2;) | |
| 12 | + | ||
| 13 | + | # SYN-ACK 3-WAY SCAN -sT (speeds T2-T5) | |
| 14 | + | ||
| 15 | + | alert tcp any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] -> any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] (msg:"POSSBL PORT SCAN (NMAP -sT)"; flow:to_server; window:32120; flags:S; threshold:type threshold, track by_src, count 20, seconds 70; classtype:attempted-recon; sid:3400003; rev:3;) | |
| 16 | + | ||
| 17 | + | # ACK SCAN -sA (speeds T2-T5) | |
| 18 | + | ||
| 19 | + | alert tcp any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] -> any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] (msg:"POSSBL PORT SCAN (NMAP -sA)"; flags:A; flow:stateless; window:1024; threshold:type threshold, track by_dst, count 20, seconds 70; classtype:attempted-recon; sid:3400004; priority:2; rev:5;) | |
| 20 | + | ||
| 21 | + | # CHRISTMAS TREE SCAN -sX (speeds T1-T5) | |
| 22 | + | ||
| 23 | + | alert tcp any any -> any any (msg:"POSSBL PORT SCAN (NMAP -sX)"; flags:FPU; flow:to_server,stateless; threshold:type threshold, track by_src, count 3, seconds 120; classtype:attempted-recon; sid:3400005; rev:2;) | |
| 24 | + | ||
| 25 | + | # FRAGMENTED SCAN -f (speeds T1-T5) | |
| 26 | + | ||
| 27 | + | alert ip any any -> any any (msg:"POSSBL SCAN FRAG (NMAP -f)"; fragbits:M+D; threshold:type limit, track by_src, count 3, seconds 1210; classtype:attempted-recon; sid:3400006; priority:2; rev:6;) | |
| 28 | + | ||
| 29 | + | # UDP SCAN -sU (speeds T1-T5) | |
| 30 | + | ||
| 31 | + | alert udp any any -> any [53,67,68,69,123,161,162,389,520,1026,1027,1028,1029,1194,1434,1900,11211,12345,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sU)"; flow:to_server,stateless; classtype:attempted-recon; sid:3400007; priority:2; rev:6; threshold:type threshold, track by_src, count 20, seconds 70; dsize:0;) | |
| 32 | + | alert udp any any -> any ![53,67,68,69,123,161,162,389,520,1026,1027,1028,1029,1194,1434,1900,11211,12345,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sU)"; flow:to_server,stateless; classtype:attempted-recon; sid:3400008; priority:2; rev:6; threshold:type threshold, track by_src, count 7, seconds 135; dsize:0;) | |
Siguiente
Anterior