Gostaria que pudessem me falar a respeito dessas regras se ficarão boas ou
necessita modificações ???
# Regra para Ataque Shellcode x86 NOOP
<rule>
ip dst(www)
tcp dst(137)
message=(flood buffer) ShellCode attack - Sirlene
action=action1
</rule>
<rule>
ip dst(www)
udp dst(137)
message=(flood buffer) ShellCode attack - Sirlene
action=action1
</rule>
# Regra para Ataque OpenPort
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^Open[ ]Port:[ ]\(80\|22\).)
message=(portscan) attack
action=action1
</rule>
# Regra para Ataque MS-SQL version overflow attempt
<rule>
ip dst(www)
tcp dst(1433)
message=(MsSQL) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(1434)
message=(MsSQL) attack
action=action1
</rule>
# Regra para Ataque ICMP PING e Echo Reply
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^[¬]\{36})
message=(Icmp-1) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^Ba[a-z]*w[a-z]\{1,9})
message=(Icmp-2) attack
action=action1
</rule>
# Regra para Ataque IcmpDestination
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^.\{176}\(STOP!\).\{18}\(IMMEDITE\)[
]\(ATTENTION\).\{203}\(www\.regfixit\.com\).\{1,111})
message=(IcmpDestination-1) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^.\{176}\(STOP!\).\{20}\(IMMEDIATE\)[
]\(ATTENTION\).\{148}\(www\.nowfixpc\.com\).\{1,164})
message=(IcmpDestination-2) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^.\{120}\(SYSTEM\).\{22}\(ALERT\).\{23}\(your system registry is
corrupted\).\{1,339})
message=(IcmpDestination-3) attack
action=action1
</rule>
--
Danilo Marques
Sistemas de Informação
Mineiros - GO
--
Danilo Marques
Sistemas de Informação
Mineiros - GO
# Regra para Ataque Shellcode x86 NOOP
<rule>
ip dst(www)
tcp dst(137)
message=(flood buffer) ShellCode attack - Sirlene
action=action1
</rule>
<rule>
ip dst(www)
udp dst(137)
message=(flood buffer) ShellCode attack - Sirlene
action=action1
</rule>
# Regra para Ataque OpenPort
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^Open[ ]Port:[ ]\(80\|22\).)
message=(portscan) attack
action=action1
</rule>
# Regra para Ataque MS-SQL version overflow attempt
<rule>
ip dst(www)
tcp dst(1433)
message=(MsSQL) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(1434)
message=(MsSQL) attack
action=action1
</rule>
# Regra para Ataque ICMP PING e Echo Reply
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^[¬]\{36})
message=(Icmp-1) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^Ba[a-z]*w[a-z]\{1,9})
message=(Icmp-2) attack
action=action1
</rule>
# Regra para Ataque IcmpDestination
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^.\{176}\(STOP!\).\{18}\(IMMEDITE\)[
]\(ATTENTION\).\{203}\(www\.regfixit\.com\).\{1,111})
message=(IcmpDestination-1) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^.\{176}\(STOP!\).\{20}\(IMMEDIATE\)[
]\(ATTENTION\).\{148}\(www\.nowfixpc\.com\).\{1,164})
message=(IcmpDestination-2) attack
action=action1
</rule>
<rule>
ip dst(www)
tcp dst(80)
tcp regex (^.\{120}\(SYSTEM\).\{22}\(ALERT\).\{23}\(your system registry is
corrupted\).\{1,339})
message=(IcmpDestination-3) attack
action=action1
</rule>
