diff --git a/Dockerfile b/Dockerfile index 4fbd4eb..08bdb13 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,145 +1,42 @@ -# -# BUILD CONTAINER -# (Note that this is a multi-phase Dockerfile) -# To build run `docker build --rm -t tebedwel/snort3-alpine:latest` -# FROM ubuntu:22.04 AS builder +ARG DEBIAN_FRONTEND=noninteractive ENV PREFIX_DIR=/usr/local ENV HOME=/root -# Update apt-get adding the @testing repo for hwloc (as of Alpine v3.7) -# RUN apt-get add -X https://dl-cdn.alpinelinux.org/alpine/v3.16/main -u alpine-keys -# RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apt-get/repositories - -# Prep apt-get for installing packages -RUN apt-get update -y && apt-get upgrade -y - -# BUILD DEPENDENCIES: -RUN apt-get install -y \ - wget \ - git \ - cmake \ - make \ - g++ \ - bison \ - flex \ - cppcheck \ - cpputest \ - autoconf \ - automake \ - libtool \ - # Libraries - libdumbnet-dev \ - libdnet-dev \ - libpcap-dev \ - libtirpc-dev \ - libmnl-dev \ - libunwind-dev \ -# Install the Snort developer requirements - curl \ - gdb \ - vim \ - build-essential \ - libpcre3-dev \ - libnet1-dev \ - zlib1g-dev \ - luajit \ - hwloc \ - liblzma-dev \ - openssl \ - libssl-dev \ - pkg-config \ - libhwloc-dev \ - libsqlite3-dev \ - uuid-dev \ - libcmocka-dev \ - libnetfilter-queue-dev \ - autotools-dev \ - libluajit-5.1-dev \ - libfl-dev - -# One of the quirks of alpine is that unistd.h is in /usr/include. Lots of -# software looks for it in /usr/include/linux or /usr/include/sys. -# So, we'll make symlinks -# RUN mkdir /usr/include/linux && \ -# ln -s /usr/include/unistd.h /usr/include/linux/unistd.h && \ -# ln -s /usr/include/unistd.h /usr/include/sys/unistd.h - -# The Alpine hwloc on testing is not reliable from a build perspective. -# So, lets just build it ourselves. -# -#WORKDIR $HOME -#RUN wget https://download.open-mpi.org/release/hwloc/v2.0/hwloc-2.0.3.tar.gz &&\ -# tar zxvf hwloc-2.0.3.tar.gz -#WORKDIR $HOME/hwloc-2.0.3 -#RUN ./configure --prefix=${PREFIX_DIR} && \ -# make && \ -# make install - -# BUILD Daq on alpine: +RUN apt-get -y update && apt-get -y upgrade +RUN apt-get -y install \ + wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config openssh-server \ + strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl python3-pip python3-pcapy python3-dpkt supervisor net-tools iputils-ping python3 \ + libdumbnet-dev libdnet-dev libpcap-dev libtirpc-dev libmnl-dev libunwind-dev libpcre3-dev zlib1g-dev libnet1-dev liblzma-dev \ + libssl-dev libhwloc-dev libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev autotools-dev libluajit-5.1-dev libfl-dev \ + libpcre3 libpcre3-dbg libyaml-0-2 libyaml-dev zlib1g libcap-ng-dev libcap-ng0 libmagic-dev libnuma-dev +# Build libdaq WORKDIR $HOME RUN git clone https://github.com/snort3/libdaq.git WORKDIR $HOME/libdaq -RUN ./bootstrap && \ - ./configure --prefix=${PREFIX_DIR} && make && \ - make install - -# BUILD gperftools +RUN ./bootstrap && ./configure --prefix=${PREFIX_DIR} && make && make install +# Build gperftools WORKDIR $HOME -RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz &&\ - tar xzf gperftools-2.9.1.tar.gz +RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz && tar xzf gperftools-2.9.1.tar.gz WORKDIR $HOME/gperftools-2.9.1 RUN ./configure && make && make install - -# BUILD Snort on alpine +# Build snort WORKDIR $HOME -# RUN git clone https://github.com/snort3/snort3.git -RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz &&\ - tar xzf 3.3.2.0.tar.gz - +RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz && tar xzf 3.3.2.0.tar.gz WORKDIR $HOME/snort3-3.3.2.0 -RUN ./configure_cmake.sh \ - --prefix=${PREFIX_DIR} \ - --enable-tcmalloc \ - --disable-docs - +RUN ./configure_cmake.sh --prefix=${PREFIX_DIR} --enable-tcmalloc --disable-docs WORKDIR $HOME/snort3-3.3.2.0/build RUN make && make install RUN ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \ ln -s /usr/local/lib/libdaq.so.3 /lib/ && \ ldconfig - - -# -# RUNTIME CONTAINER -# -#FROM ubuntu:22.04 - -#ENV PREFIX_DIR=/usr/local -#WORKDIR ${PREFIX_DIR} - -# Prep apt-get for installing packages -#RUN apt-get update -y -#RUN apt-get upgrade -y - -# RUNTIME DEPENDENCIES: -#RUN apt-get install \ -# libdnet \ -# luajit \ -# musl \ -# libstdc++ - -# Copy the build artifacts from the build container to the runtime file system -#COPY --from=builder ${PREFIX_DIR}/etc/ /etc/ -#COPY --from=builder ${PREFIX_DIR}/lib/ /lib/ -#COPY --from=builder ${PREFIX_DIR}/lib64/ ${PREFIX_DIR}/lib64/ -#COPY --from=builder ${PREFIX_DIR}/bin/ /bin/ +# Add community rules to snort WORKDIR $HOME RUN mkdir ${PREFIX_DIR}/etc/rules && \ mkdir ${PREFIX_DIR}/etc/so_rules/ && \ @@ -147,15 +44,38 @@ RUN mkdir ${PREFIX_DIR}/etc/rules && \ touch ${PREFIX_DIR}/etc/rules/local.rules && \ touch ${PREFIX_DIR}/etc/lists/default.blocklist && \ mkdir /var/log/snort - COPY snort3-community-rules.tar ${HOME}/snort3-community-rules.tar - -RUN tar -xvzf snort3-community-rules.tar && \ - cd snort3-community-rules && \ - cp * ${PREFIX_DIR}/etc/rules/ - +RUN tar -xvzf snort3-community-rules.tar && cd snort3-community-rules && cp * ${PREFIX_DIR}/etc/rules/ RUN snort --version -ENTRYPOINT ["snort", "-c", "/usr/local/etc/snort/snort.lua", "-R", "/usr/local/etc/rules/snort3-community.rules", "-i", "wl01", "-s", "65535", "-k", "none"] +# Install OpenAppID +WORKDIR $HOME +COPY snort-openappid.tar.gz ${HOME}/OpenAppId-23020.tar.gz +RUN tar -xzvf OpenAppId-23020.tar.gz && cp -R odp /usr/local/lib/ -#ENTRYPOINT ["tail", "-f", "/dev/null"] \ No newline at end of file +RUN pip3 install pygeoip dnif idstools +#RUN mkdir /usr/local/lookups && cd /usr/local/lookups && \ +# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz && \ +# wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz && \ +# gunzip GeoLiteCity.dat.gz GeoIPASNum.dat.gz + +# Install snort-sgent +WORKDIR /usr/local/src +RUN wget https://github.com/dnif/snort-agent/archive/0.8.tar.gz && tar -zxvf 0.8.tar.gz && mv snort-agent-* snort-agent + +# Set up SSH +RUN mkdir /var/run/sshd +RUN echo 'root:screencast' | chpasswd +RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config +RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd +RUN echo "export VISIBLE=now" >> /etc/profile + +EXPOSE 22 + +COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf +COPY entrypoint.sh ${HOME}/entrypoint.sh +#CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] + +#ENTRYPOINT ["snort", "-c", "/usr/local/etc/snort/snort.lua", "-R", "/usr/local/etc/rules/snort3-community.rules", "-i", "wl01", "-s", "65535", "-k", "none"] +#ENTRYPOINT ["tail", "-f", "/dev/null"] +ENTRYPOINT ["/bin/bash", "/root/entrypoint.sh"] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 747df6b..e7c6f7d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,6 +6,21 @@ services: dockerfile: Dockerfile context: ./ volumes: - - snort:/usr/local/etc/snort -volumes: - snort: \ No newline at end of file + - ./snort-conf:/usr/local/etc/snort + - ./snort-rules.txt:/usr/local/etc/rules/local.rules + ports: + - 22:22 + networks: + snort_lan: + ping: + image: willfarrell/ping + environment: + HOSTNAME: snort + TIMEOUT: 10 + networks: + snort_lan: +networks: + snort_lan: + driver: bridge +#volumes: +# snort: \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..10bc09c --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1 @@ +/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf \ No newline at end of file diff --git a/snort-agent.conf b/snort-agent.conf new file mode 100644 index 0000000..3e18ae3 --- /dev/null +++ b/snort-agent.conf @@ -0,0 +1,12 @@ +[program:snort-agent] +command=/usr/bin/python -u /usr/local/src/snort-agent/snort-agent.py +process_name=%(program_name)s +autostart=true +autorestart=true +redirect_stderr=true +stdout_logfile=/var/log/snort-agent.log +stderr_logfile=/var/log/snort-agent.log +stderr_events_enabled=true +directory=/tmp/ +stopasgroup=true +stdout_logfile_maxbytes=10MB \ No newline at end of file diff --git a/snort-conf/balanced.lua b/snort-conf/balanced.lua new file mode 100644 index 0000000..6ee5739 --- /dev/null +++ b/snort-conf/balanced.lua @@ -0,0 +1,20 @@ +--------------------------------------------------------------------------- +-- balanced connectivity and security policy +-- use with -c snort.lua --tweaks balanced +--------------------------------------------------------------------------- + +arp_spoof = nil + +detection = { pcre_override = false } + +http_inspect.request_depth = 300 +http_inspect.response_depth = 500 + +port_scan = nil + +stream_ip.min_frag_length = 16 + +table.insert( + binder, 1, -- add http port binding to appease the perf gods + { when = { proto = 'tcp', ports = '80', role='server' }, use = { type = 'http_inspect' } }) + diff --git a/snort-conf/connectivity.lua b/snort-conf/connectivity.lua new file mode 100644 index 0000000..fdfbcd2 --- /dev/null +++ b/snort-conf/connectivity.lua @@ -0,0 +1,21 @@ +--------------------------------------------------------------------------- +-- reduced security policy that favors connectivity +-- use with -c snort.lua --tweaks connectivity +--------------------------------------------------------------------------- + +arp_spoof = nil + +http_inspect.request_depth = 300 +http_inspect.response_depth = 500 + +http_inspect.unzip = false +http_inspect.utf8 = false + +port_scan = nil + +stream_ip.min_frag_length = 16 + +table.insert( + binder, 1, -- add http port binding to appease the perf gods + { when = { proto = 'tcp', ports = '80', role='server' }, use = { type = 'http_inspect' } }) + diff --git a/snort-conf/file_magic.rules b/snort-conf/file_magic.rules new file mode 100644 index 0000000..7c47562 --- /dev/null +++ b/snort-conf/file_magic.rules @@ -0,0 +1,219 @@ +file_id (msg:"Excel spreadsheet subheader (MS Office)"; file_meta:type XLW, id 1, category "Office Documents", group "office"; file_data; content:"| 09 08 10 00 00 06 05 00 |", depth 8, offset 512; gid:4; sid:1; rev:1;) +file_id (msg:"POSIX Tape Archive file"; file_meta:type POSIX_TAR, id 2, category "Archive"; file_data; content:"| 75 73 74 61 72 00 20 20 |", depth 8, offset 257; gid:4; sid:2; rev:1;) +file_id (msg:"Pre-POSIX Tape Archive file"; file_meta:type OLD_TAR, id 3, category "Archive"; file_data; content:"| 75 73 74 61 72 20 |", depth 6, offset 257; gid:4; sid:3; rev:1;) +file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 4, category "Multimedia", group "video"; file_data; content:"| 66 72 65 65 |", depth 4, offset 4; gid:4; sid:4; rev:1;) +file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 5, category "Multimedia", group "video"; file_data; content:"| 6D 6F 6F 76 |", depth 4, offset 4; gid:4; sid:5; rev:1;) +file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 6, category "Multimedia", group "video"; file_data; content:"| 6D 64 61 74 |", depth 4, offset 4; gid:4; sid:6; rev:1;) +file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 7, category "Multimedia", group "video"; file_data; content:"| 70 6E 6F 74 |", depth 4, offset 4; gid:4; sid:7; rev:1;) +file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 8, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 |", depth 4, offset 4; gid:4; sid:8; rev:1;) +file_id (msg:"File compressed with lha utility/algorithm (lha, lzh)"; file_meta:type LHA, id 9, category "Archive"; file_data; content:"| 2D 6C 68 |", depth 3, offset 2; gid:4; sid:9; rev:1;) +file_id (msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 10, category "System files"; file_data; content:"| 43 44 30 30 31 |", depth 5, offset 32769; gid:4; sid:10; rev:1;) +file_id (msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 11, category "System files"; file_data; content:"| 43 44 30 30 31 |", depth 5, offset 34817; gid:4; sid:11; rev:1;) +file_id (msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 12, category "System files"; file_data; content:"| 43 44 30 30 31 |", depth 5, offset 36865; gid:4; sid:12; rev:1;) +file_id (msg:"S3M audio module format"; file_meta:type S3M, id 13, category "Multimedia", group "audio"; file_data; content:"| 53 43 52 4d |", depth 4, offset 44; gid:4; sid:13; rev:1;) +file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 14, category "Multimedia"; file_data; content:"| 11 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:14; rev:1;) +file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 15, category "Multimedia"; file_data; content:"| 12 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:15; rev:1;) +file_id (msg:"Windows/DOS executable file"; file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content:"| 4D 5A |", depth 2, offset 0; gid:4; sid:16; rev:1;) +file_id (msg:"PDF file"; file_meta:type PDF, id 22, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content:"| 25 50 44 46 |", depth 4, offset 0; gid:4; sid:17; rev:1;) +file_id (msg:"Rich text format word processing file"; file_meta:type RTF, id 23, category "Office Documents,Dynamic Analysis Capable"; file_data; content:"| 7B 5C 72 74 |", depth 4, offset 0; gid:4; sid:18; rev:1;) +file_id (msg:"Resource Interchange File Format"; file_meta:type RIFF, id 24, category "Multimedia"; file_data; content:"| 52 49 46 46 |", depth 4, offset 0; gid:4; sid:19; rev:1;) +file_id (msg:"Microsoft Compiled HTML Help File"; file_meta:type MSCHM, id 25, category "Office Documents"; file_data; content:"| 49 54 53 46 |", depth 4, offset 0; gid:4; sid:20; rev:1;) +file_id (msg:"Microsoft Windows CAB"; file_meta:type MSCAB, id 26, category "Archive"; file_data; content:"| 4D 53 43 46 |", depth 4, offset 0; gid:4; sid:21; rev:1;) +file_id (msg:"Microsoft Object Linking and Embedding Compound File, used for office documents as well as installers"; file_meta:type MSOLE2, id 27, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content:"| D0 CF 11 E0 A1 B1 1A E1 |", depth 8, offset 0; gid:4; sid:22; rev:1;) +file_id (msg:"SZDD file format"; file_meta:type MSSZDD, id 28, category "Archive"; file_data; content:"| 53 5A 44 44 88 F0 27 33 |", depth 8, offset 0; gid:4; sid:23; rev:1;) +file_id (msg:"PKZIP archive file"; file_meta:type ZIP, id 29, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; gid:4; sid:24; rev:1;) +file_id (msg:"WinRAR compressed archive file"; file_meta:type RAR, id 30, category "Archive"; file_data; content:"| 52 61 72 21 1A 07 00 |", depth 7, offset 0; gid:4; sid:25; rev:1;) +file_id (msg:"7-Zip compressed file"; file_meta:type 7Z, id 31, category "Archive"; file_data; content:"| 37 7A BC AF 27 1C |", depth 6, offset 0; gid:4; sid:26; rev:1;) +file_id (msg:"bzip2 compressed archive"; file_meta:type BZ, id 32, category "Archive"; file_data; content:"| 42 5A 68 |", depth 3, offset 0; gid:4; sid:27; rev:1;) +file_id (msg:"GZ"; file_meta:type GZ, id 33, category "Archive"; file_data; content:"| 1F 8B 08 |", depth 3, offset 0; gid:4; sid:28; rev:1;) +file_id (msg:"Compressed archive file"; file_meta:type ARJ, id 34, category "Archive"; file_data; content:"| 60 EA 00 00 |", depth 4, offset 0; gid:4; sid:29; rev:1;) +file_id (msg:"Install Shield v5.x or 6.x compressed file"; file_meta:type ISHIELD_MSI, id 35, category "Executables"; file_data; content:"| 49 53 63 28 |", depth 4, offset 0; gid:4; sid:30; rev:1;) +file_id (msg:"Macintosh BinHex 4 Compressed Archive"; file_meta:type BINHEX, id 36, category "Executables"; file_data; content:"| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |", depth 41, offset 0; gid:4; sid:31; rev:1;) +file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 37, category "Office Documents"; file_data; content:"| 46 72 6F 6D 20 20 20 |", depth 7, offset 0; gid:4; sid:32; rev:1;) +file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 38, category "Office Documents"; file_data; content:"| 46 72 6F 6D 20 3F 3F 3F |", depth 8, offset 0; gid:4; sid:33; rev:1;) +file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 39, category "Office Documents"; file_data; content:"| 46 72 6F 6D 3A 20 |", depth 6, offset 0; gid:4; sid:34; rev:1;) +file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 40, category "Office Documents"; file_data; content:"| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |", depth 13, offset 0; gid:4; sid:35; rev:1;) +file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 41, category "Office Documents"; file_data; content:"| 58 2D |", depth 2, offset 0; gid:4; sid:36; rev:1;) +file_id (msg:"Transport Neutral Encapsulation Format, an E-mail attachment format"; file_meta:type TNEF, id 42, category "Office Documents"; file_data; content:"| 78 9F 3E 22 |", depth 4, offset 0; gid:4; sid:37; rev:1;) +file_id (msg:"Universal Binary/Java Bytecode"; file_meta:type BINARY_DATA, id 43, category "Executables"; file_data; content:"| CA FE BA BE |", depth 4, offset 0; gid:4; sid:38; rev:1;) +file_id (msg:"UUencoded file"; file_meta:type UUENCODED, id 44, category "Encoded"; file_data; content:"| 62 65 67 69 6E |", depth 5, offset 0; gid:4; sid:39; rev:1;) +file_id (msg:"Script encoder file"; file_meta:type SCRENC, id 45, category 'Encoded"; file_data; content:"| 23 40 7E 5E |", depth 4, offset 0; gid:4; sid:40; rev:1;) +file_id (msg:"Executable and Linking Format executable file (Linux/Unix)"; file_meta:type ELF, id 46, category "Executables"; file_data; content:"| 7F 45 4C 46 |", depth 4, offset 0; gid:4; sid:41; rev:1;) +file_id (msg:"Mach object file format"; file_meta:type MACHO, id 47, category "Executables"; file_data; content:"| CE FA ED FE |", depth 4, offset 0; gid:4; sid:42; rev:1;) +file_id (msg:"Mach object file format"; file_meta:type MACHO, id 48, category "Executables"; file_data; content:"| CF FA ED FE |", depth 4, offset 0; gid:4; sid:43; rev:1;) +file_id (msg:"Mach object file format"; file_meta:type MACHO, id 49, category "Executables"; file_data; content:"| FE ED FA CE |", depth 4, offset 0; gid:4; sid:44; rev:1;) +file_id (msg:"Mach object file format"; file_meta:type MACHO, id 50, category "Executables"; file_data; content:"| FE ED FA CF |", depth 4, offset 0; gid:4; sid:45; rev:1;) +file_id (msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 51, category "Archive"; file_data; content:"| 19 04 00 10 |", depth 4, offset 0; gid:4; sid:46; rev:1;) +file_id (msg:"Flash file "; file_meta:type SWF, id 52, category "Multimedia"; file_data; content:"| 43 57 53 |", depth 3, offset 0; gid:4; sid:47; rev:1;) +file_id (msg:"Flash file "; file_meta:type SWF, id 53, category 'Multimedia"; file_data; content:"| 46 57 53 |", depth 3, offset 0; gid:4; sid:48; rev:1;) +file_id (msg:"Archive created with the cpio utility- standard ASCII format"; file_meta:type CPIO_ODC, id 55, category "Archive"; file_data; content:"| 30 37 30 37 30 37 |", depth 6, offset 0; gid:4; sid:49; rev:1;) +file_id (msg:"Archive created with the cpio utility- new ASCII (aka SVR4) format"; file_meta:type CPIO_NEWC, id 56, category "Archive"; file_data; content:"| 30 37 30 37 30 31 |", depth 6, offset 0; gid:4; sid:50; rev:1;) +file_id (msg:"Archive created with the cpio utility- CRC format"; file_meta:type CPIO_CRC, id 57, category "Archive"; file_data; content:"| 30 37 30 37 30 32 |", depth 6, offset 0; gid:4; sid:51; rev:1;) +file_id (msg:"MPEG video file"; file_meta:type MPEG, id 58, category "Multimedia", group "video"; file_data; content:"| 00 00 01 B3 |", depth 4, offset 0; gid:4; sid:52; rev:1;) +file_id (msg:"MPEG video file"; file_meta:type MPEG, id 59, category "Multimedia", group "video"; file_data; content:"| 00 00 01 BA |", depth 4, offset 0; gid:4; sid:53; rev:1;) +file_id (msg:"Adobe encapsulated PostScript file"; file_meta:type EPS, id 60, category "PDF files"; file_data; content:"| 25 21 50 53 2D 41 64 6F 62 65 2D |", depth 11, offset 0; gid:4; sid:54; rev:1;) +file_id (msg:"RealNetworks RealMedia streaming media file"; file_meta:type RMF, id 61, category "Multimedia"; file_data; content:"| 2E 52 4D 46 |", depth 4, offset 0; gid:4; sid:55; rev:1;) +file_id (msg:"GIF"; file_meta:type GIF, id 62, category "Graphics"; file_data; content:"| 47 49 46 38 37 61 |", depth 6, offset 0; gid:4; sid:56; rev:1;) +file_id (msg:"GIF"; file_meta:type GIF, id 63, category 'Graphics"; file_data; content:"| 47 49 46 38 39 61 |", depth 6, offset 0; gid:4; sid:57; rev:1;) +file_id (msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 64, category "Multimedia"; file_data; content:"| 49 44 33 |", depth 3, offset 0; gid:4; sid:58; rev:1;) +file_id (msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 65, category "Multimedia"; file_data; content:"| FF FB |", depth 2, offset 0; gid:4; sid:59; rev:1;) +file_id (msg:"Ogg Vorbis Codec compressed Multimedia file"; file_meta:type OGG, id 66, category "Multimedia"; file_data; content:"| 4F 67 67 53 |", depth 4, offset 0; gid:4; sid:60; rev:1;) +file_id (msg:"RIFX audio format"; file_meta:type RIFX, id 67, category "Multimedia", group "audio"; file_data; content:"| 52 49 46 58 |", depth 4, offset 0; gid:4; sid:61; rev:1;) +file_id (msg:"Symantec files"; file_meta:type SYMANTEC, id 68, category "System files"; file_data; content:"| 58 2D 53 79 6D 61 6E 74 65 63 2D |", depth 11, offset 0; gid:4; sid:62; rev:1;) +file_id (msg:"Portable Network Graphics file"; file_meta:type PNG, id 69, category "Graphics", group "multimedia"; file_data; content:"| 89 50 4E 47 0D 0A 1A 0A |", depth 8, offset 0; gid:4; sid:63; rev:1;) +file_id (msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 70, category "Graphics", group "multimedia"; file_data; content:"| FF D8 FF E0 |", depth 4, offset 0; gid:4; sid:64; rev:1;) +file_id (msg:"Jar pack file"; file_meta:type JARPACK, id 72, category "Executables"; file_data; content:"| CA FE D0 0D |", depth 4, offset 0; gid:4; sid:65; rev:1;) +file_id (msg:"Java archive file"; file_meta:type JAR, id 73, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 4D 45 54 41 2D 49 4E 46 2F |", depth 9, offset 30; gid:4; sid:66; rev:1;) +file_id (msg:"Flash video file"; file_meta:type FLV, id 74, category "Multimedia", group "video"; file_data; content:"| 46 4C 56 01 |", depth 4, offset 0; gid:4; sid:67; rev:1;) +file_id (msg:"Waveform Audio File Format"; file_meta:type WAV, id 76, category "Multimedia", group "audio"; file_data; content:"| 62 65 61 74 |", depth 4, offset 0; gid:4; sid:68; rev:1;) +file_id (msg:"Waveform Audio File Format"; file_meta:type WAV, id 77, category "Multimedia", group "video"; file_data; content:"| 4D 58 43 33 |", depth 4, offset 0; gid:4; sid:69; rev:1;) +file_id (msg:"ffmpeg Multimedia framework"; file_meta:type FFMPEG, id 78, category "Multimedia"; file_data; content:"| 34 58 4D 56 |", depth 4, offset 0; gid:4; sid:70; rev:1;) +file_id (msg:"Apple Disk Image"; file_meta:type DMG, id 79, category "System files"; file_data; content:"| 45 52 02 00 |", depth 4, offset 0; gid:4; sid:71; rev:1;) +file_id (msg:"Apple Disk Image"; file_meta:type DMG, id 80, category "System files"; file_data; content:"| 32 49 4D 47 |", depth 4, offset 0; gid:4; sid:72; rev:1;) +file_id (msg:"RealPlayer video file"; file_meta:type IVR, id 81, category "Multimedia", group "video"; file_data; content:"| 2E 52 45 43 |", depth 4, offset 0; gid:4; sid:73; rev:1;) +file_id (msg:"RealPlayer video file"; file_meta:type IVR, id 82, category "Multimedia", group "video"; file_data; content:"| 2E 52 31 4D |", depth 4, offset 0; gid:4; sid:74; rev:1;) +file_id (msg:"RealAudio file"; file_meta:type RA, id 83, category "Multimedia", group "audio"; file_data; content:"| 2E 52 4D 46 00 00 00 12 00 |", depth 9, offset 0; gid:4; sid:75; rev:1;) +file_id (msg:"RealAudio file"; file_meta:type RA, id 84, category "Multimedia", group "audio"; file_data; content:"| 2E 72 61 FD 00 |", depth 5, offset 0; gid:4; sid:76; rev:1;) +file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 85, category "System files"; file_data; content:"| 43 4F 57 44 |", depth 4, offset 0; gid:4; sid:77; rev:1;) +file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 86, category "System files"; file_data; content:"|4B 44 4D |", depth 3, offset 0; gid:4; sid:78; rev:1;) +file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 87, category "System files"; file_data; content:"| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |", depth 16, offset 0; gid:4; sid:79; rev:1;) +file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 88, category "System files"; file_data; content:"| 2E 03 00 00 01 |", depth 5, offset 0; gid:4; sid:80; rev:1;) +file_id (msg:"Free Lossless Audio Codec file"; file_meta:type FLAC, id 89, category "Multimedia", group "audio"; file_data; content:"| 66 4C 61 43 00 00 00 22 |", depth 8, offset 0; gid:4; sid:81; rev:1;) +file_id (msg:"S3M audio module format"; file_meta:type S3M, id 90 , category "Multimedia", group "audio"; file_data; content:"| 53 43 52 4d |", depth 4, offset 0; gid:4; sid:82; rev:1;) +file_id (msg:"Microsoft Windows Media Audio/Video File"; file_meta:type ASF, id 91, category "Multimedia", group "audio"; file_data;content:"| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |", depth 16, offset 0; gid:4; sid:83; rev:1;) +file_id (msg:"Microsoft Word for Mac 5"; file_meta:type MSWORD_MAC5, id 93, category "Office Documents", group "office"; file_data; content:"| FE 37 00 23 |", depth 4, offset 0; gid:4; sid:84; rev:1;) +file_id (msg:"Microsoft symbolic Link"; file_meta:type SYLKc, id 94, category "System files"; file_data; content:"| 49 44 3B 50 |", depth 4, offset 0; gid:4; sid:85; rev:1;) +file_id (msg:"WordPerfect text and graphics file"; file_meta:type WP, id 95, category "Office Documents"; file_data; content:"| FF 57 50 43 |", depth 4, offset 0; gid:4; sid:86; rev:1;) +file_id (msg:"WordPerfect text and graphics file"; file_meta:type WP, id 96, category "Office Documents"; file_data; content:"| 81 CD AB |", depth 3, offset 0; gid:4; sid:87; rev:1;) +file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 97, category "Graphics", group "multimedia"; file_data; content:"| 49 49 2A 00 |", depth 4, offset 0; gid:4; sid:88; rev:1;) +file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 98, category "Graphics", group "multimedia"; file_data; content:"| 49 20 49 |", depth 3, offset 0; gid:4; sid:89; rev:1;) +file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 99, category "Graphics", group "multimedia"; file_data; content:"| 4D 4D 00 2A |", depth 4, offset 0; gid:4; sid:90; rev:1;) +file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 100, category "Graphics", group "multimedia"; file_data; content:"| 4D 4D 00 2B |", depth 4, offset 0; gid:4; sid:91; rev:1;) +file_id (msg:"Metastock technical analysis program for traders"; file_meta:type MWL, id 101, category "Office Documents"; file_data; content:"| 5b 4d 65 74 61 53 74 6f 63 6b |", depth 10, offset 0; gid:4; sid:92; rev:1;) +file_id (msg:"Microsoft Access file"; file_meta:type MDB, id 102, category "Office Documents"; file_data; content:"| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |", depth 19, offset 0; gid:4; sid:93; rev:1;) +file_id (msg:"Microsoft Access 2007 file"; file_meta:type ACCDB, id 103, category "Office Documents"; file_data; content:"| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 |", depth 19, offset 0; gid:4; sid:94; rev:1;) +file_id (msg:"Microsoft Money file"; file_meta:type MNY, id 104, category "Office Documents"; file_data; content:"| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 |", depth 19, offset 0; gid:4; sid:95; rev:1;) +file_id (msg:"RealNetworks Realplayer REC"; file_meta:type REC, id 105, category "Multimedia"; file_data; content:"| 2e 72 65 63 00 |", depth 5, offset 0; gid:4; sid:96; rev:1;) +file_id (msg:"RealNetworks Realplayer R1M"; file_meta:type R1M, id 106, category "Multimedia"; file_data; content:"| 2e 72 31 6d |", depth 4, offset 0; gid:4; sid:97; rev:1;) +file_id (msg:"Outlook address file"; file_meta:type WAB, id 107, category "Office Documents", group "office"; file_data; content:"| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |", depth 16, offset 0; gid:4; sid:98; rev:1;) +file_id (msg:"Outlook address file"; file_meta:type WAB, id 108, category "Office Documents", group "office"; file_data; content:"| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |", depth 16, offset 0; gid:4; sid:99; rev:1;) +file_id (msg:"Multimedia playlists"; file_meta:type M3U, id 109, category "Multimedia"; file_data; content:"| 23 45 58 54 4d 33 55 |", depth 7, offset 0; gid:4; sid:100; rev:1;) +file_id (msg:"Matroska stream file"; file_meta:type MKV, id 110, category "Multimedia"; file_data; content:"| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 |", depth 16, offset 0; gid:4; sid:101; rev:1;) +file_id (msg:"ChromaGraph Graphics Card Bitmap Graphic file"; file_meta:type IMG_PICT, id 111, category "Graphics", group "multimedia"; file_data; content:"| 50 49 43 54 00 08 |", depth 6, offset 0; gid:4; sid:102; rev:1;) +file_id (msg:"Advanced Module Format for digital music"; file_meta:type AMF, id 112, category "Multimedia", group "audio"; file_data; content:"| 41 4d 46 |", depth 3, offset 0; gid:4; sid:103; rev:1;) +file_id (msg:"WebM audio-video format"; file_meta:type WEBM, id 113, category "Multimedia", group "audio,video"; file_data; content:"| 1A 45 DF A3 |", depth 4, offset 0; gid:4; sid:104; rev:1;) +file_id (msg:"Autodesk Maya"; file_meta:type MAYA, id 114, category "Graphics"; file_data; content:"| 2f 2f 4d 61 79 61 |", depth 6, offset 0; gid:4; sid:105; rev:1;) +file_id (msg:"Musical Instrument Digital Interface (MIDI) sound file"; file_meta:type MIDI, id 115, category "Multimedia", group "audio"; file_data; content:"| 4D 54 68 64 |", depth 4, offset 0; gid:4; sid:106; rev:1;) +file_id (msg:"multimedia playlists"; file_meta:type PLS, id 116, category "Multimedia"; file_data; content:"| 5b 70 6c 61 79 6c 69 73 74 5d |", depth 10, offset 0; gid:4; sid:107; rev:1;) +file_id (msg:"Synchronized Multimedia Integration Language"; file_meta:type SMIL, id 117, category "Multimedia"; file_data; content:"| 3c 73 6d 69 6c 3e |", depth 6, offset 0; gid:4; sid:108; rev:1;) +file_id (msg:"Synchronized Accessible Media Interchange"; file_meta:type SAMI, id 119, category "Multimedia"; file_data; content:"| 3c 53 41 4d 49 |", depth 5, offset 0; gid:4; sid:109; rev:1;) +file_id (msg:"Autodesk AutoCAD file (dwg) "; file_meta:type DWG, id 130, category "Graphics"; file_data; content:"| 41 43 31 30 |", depth 4, offset 0; gid:4; sid:111; rev:1;) +file_id (msg:"Microsoft Document Imaging file (mdi)"; file_meta:type MDI, id 132, category "Office Documents"; file_data; content:"| 45 50 |", depth 2, offset 0; gid:4; sid:112; rev:1;) +file_id (msg:"PGP disk image(PGD)"; file_meta:type PGD, id 133, category "System files"; file_data; content:"| 50 47 50 64 4D 41 49 4E |", depth 8, offset 0; gid:4; sid:113; rev:1;) +file_id (msg:"Photoshop image file (PSD)"; file_meta:type PSD, id 134, category "Graphics"; file_data; content:"| 38 42 50 53 |", depth 4, offset 0; gid:4; sid:114; rev:1;) +file_id (msg:"Windows 9x registry hive (REG)"; file_meta:type 9XHIVE, id 135, category "System files"; file_data; content:"| 43 52 45 47 |", depth 4, offset 0; gid:4; sid:115; rev:1;) +file_id (msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 136, category "System files"; file_data; content:"| 52 45 47 45 44 49 54 |", depth 7, offset 0; gid:4; sid:116; rev:1;) +file_id (msg:"Windows graphics metafile "; file_meta:type WMF, id 137, category "Graphics"; file_data; content:"| 01 00 09 00 00 03 |", depth 6, offset 0; gid:4; sid:117; rev:1;) +file_id (msg:"Windows Write document file (wri) "; file_meta:type WRI, id 138, category "Office Documents"; file_data; content:"| BE 00 00 00 AB 00 00 00 00 00 00 00 00 |", depth 13, offset 0; gid:4; sid:118; rev:1;) +file_id (msg:"RedHat Package Manager file"; file_meta:type RPM, id 139, category "Executables"; file_data; content:"| ED AB EE DB |", depth 4, offset 0; gid:4; sid:119; rev:1;) +file_id (msg:"Microsoft OneNote note"; file_meta:type ONE, id 140, category "Office Documents", group "office"; file_data; content:"| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |", depth 16, offset 0; gid:4; sid:120; rev:1;) +file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 141, category "Multimedia", group "video"; file_data; content:"| 00 00 00 18 66 74 79 70 33 67 70 35 |", depth 12, offset 0; gid:4; sid:121; rev:1;) +file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 142, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 69 73 6F 6D |", depth 8, offset 4; gid:4; sid:122; rev:1;) +file_id (msg:"Packet capture file"; file_meta:type PCAP, id 143, category "System files"; file_data; content:"| D4 C3 B2 A1 |", depth 4, offset 0; gid:4; sid:123; rev:1;) +file_id (msg:"Packet capture file"; file_meta:type PCAP, id 144, category "System files"; file_data; content:"| 34 CD B2 A1 |", depth 4, offset 0; gid:4; sid:124; rev:1;) +file_id (msg:"Packet capture file"; file_meta:type PCAP, id 145, category "System files"; file_data; content:"| A1 B2 C3 D4 |", depth 4, offset 0; gid:4; sid:125; rev:1;) +file_id (msg:"Packet capture file"; file_meta:type PCAP, id 146, category "System files"; file_data; content:"| A1 B2 CD 34 |", depth 4, offset 0; gid:4; sid:126; rev:1;) +file_id (msg:"Packet capture file"; file_meta:type PCAP, id 147, category "System files"; file_data; content:"| 52 54 53 53 |", depth 4, offset 0; gid:4; sid:127; rev:1;) +file_id (msg:"Bitmap image file"; file_meta:type BMP, id 148, category "Graphics", group "multimedia"; file_data; content:"| 42 4D |", depth 2, offset 0; gid:4; sid:128; rev:1;) +file_id (msg:"Windows icon file"; file_meta:type ICO, id 149, category "Graphics"; file_data; content:"| 00 00 01 00 |", depth 4, offset 0; gid:4; sid:129; rev:1;) +file_id (msg:"BitTorrent File"; file_meta:type TORRENT, id 150, category "Executables"; file_data; content:"| 64 38 3A 61 6E 6E 6F 75 6E 63 65 |", depth 11, offset 0; gid:4; sid:130; rev:1;) +file_id (msg:"Adaptive Multi-Rate Codec File"; file_meta:type AMR, id 151, category "Multimedia"; file_data; content:"| 23 21 41 4D 52 |", depth 5, offset 0; gid:4; sid:131; rev:1;) +file_id (msg:"StuffIt compressed archive"; file_meta:type SIT, id 152, category "Archive"; file_data; content:"| 53 49 54 21 00 |", depth 5, offset 0; gid:4; sid:132; rev:1;) +file_id (msg:"Microsoft Outlook Personal Folder File"; file_meta:type PST, id 153, category "Office Documents", group "office"; file_data; content:"| 21 42 44 4E |", depth 4, offset 0; gid:4; sid:133; rev:1;) +file_id (msg:"Windows Help file"; file_meta:type HLP, id 154, category "Office Documents"; file_data; content:"| 4C 4E 02 00 |", depth 4, offset 0; gid:4; sid:134; rev:1;) +file_id (msg:"Windows Help file"; file_meta:type HLP, id 155, category "Office Documents"; file_data; content:"| 3F 5F 03 00 |", depth 4, offset 0; gid:4; sid:135; rev:1;) +file_id (msg:"Windows Autorun setup file"; file_meta:type AUTORUN, id 156, category "Executables"; file_data; content:"| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |", depth 11, offset 0; gid:4; sid:136; rev:1;) +file_id (msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 157, category "Graphics", group "multimedia"; file_data; content:"| FF D8 FF E1 |", depth 4, offset 0; gid:4; sid:137; rev:1;) +file_id (msg:"Compressed archive file"; file_meta:type ARJ, id 158, category "Archive"; file_data; content:"| 60 EA |", depth 2, offset 0; gid:4; sid:138; rev:1;) +file_id (msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 159, category "Multimedia", group "audio"; file_data; content:"| FF FA |", depth 2, offset 0; gid:4; sid:139; rev:1;) +file_id (msg:"StuffIt compressed archive"; file_meta:type SIT, id 160, category "Archive"; file_data; content:"| 53 74 75 66 66 49 74 20 |", depth 8, offset 0; gid:4; sid:140; rev:1;) +file_id (msg:"Windows graphics metafile "; file_meta:type WMF, id 162, category "Graphics"; file_data; content:"| D7 CD C6 9A |", depth 4, offset 0; gid:4; sid:141; rev:1;) +file_id (msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 163, category "Archive"; file_data; content:"| 7A 1A 20 10 |", depth 4, offset 0; gid:4; sid:142; rev:1;) +file_id (msg:"Windows Write document file (wri) "; file_meta:type WRI, id 164, category "Office Documents"; file_data; content:"| 31 BE |", depth 2, offset 0; gid:4; sid:143; rev:1;) +file_id (msg:"Windows Write document file (wri) "; file_meta:type WRI, id 165, category "Office Documents"; file_data; content:"| 32 BE |", depth 2, offset 0; gid:4; sid:144; rev:1;) +file_id (msg:"Waveform Audio File Format"; file_meta:type WAV, id 166, category "Multimedia", group "audio"; file_data; content:"| 52 49 46 46 |", depth 4, offset 0; content:"| 57 41 56 45 66 6D 74 20 |", depth 8, offset 8; gid:4; sid:145; rev:1;) +file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 167, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 6D 70 34 32 |", depth 8, offset 4; gid:4; sid:146; rev:1;) +file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 168, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 33 67 70 |", depth 7, offset 4; gid:4; sid:147; rev:1;) +file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 169, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 4D 53 4E 56 |", depth 8, offset 4; gid:4; sid:148; rev:1;) +file_id (msg:"Digital Imaging and Communications in Medicine"; file_meta:type DICM, id 170, category "Multimedia"; file_data; content:"| 44 49 43 4D |", depth 4, offset 128; gid:4; sid:149; rev:1;) +file_id (msg:"PKZIP encrypted archive file"; file_meta:type ZIP_ENC, id 171, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 01 |", depth 1, offset 6; gid:4; sid:150; rev:1;) +file_id (msg:"Standard Anti-Virus Test File"; file_meta:type EICAR, id 273, category "Executables"; file_data; content:"| 58 35 4F 21 50 25 |", depth 6, offset 0; gid:4; sid:151; rev:1;) +file_id (msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 275, category "Office Documents"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 46 69 78 65 64 44 6F 63 75 6D |", depth 10, offset 30; gid:4; sid:152; rev:1;) +file_id (msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 277, category "Office Documents"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 44 6F 63 75 6D 65 6E 74 73 2F |", depth 10, offset 30; gid:4; sid:153; rev:1;) +file_id (msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 278, category "Office Documents"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 4D 65 74 61 64 61 74 61 2F |", depth 9, offset 30; gid:4; sid:154; rev:1;) +file_id (msg:"Windows crash dump file"; file_meta:type DMP, id 279, category "System files"; file_data; content:"| 4D 44 4D 50 93 A7 |", depth 6, offset 0; gid:4; sid:155; rev:1;) +file_id (msg:"Windows crash dump file"; file_meta:type DMP, id 280, category "System files"; file_data; content:"| 50 41 47 45 44 55 36 34 |", depth 8, offset 0; gid:4; sid:156; rev:1;) +file_id (msg:"Windows crash dump file"; file_meta:type DMP, id 281, category "System files"; file_data; content:"| 50 41 47 45 44 55 4D 50 |", depth 8, offset 0; gid:4; sid:157; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 282, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.0"; file_data; content:"| 25 50 44 46 2D 31 2E 30 |", depth 8, offset 0; gid:4; sid:158; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 283, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.1"; file_data; content:"| 25 50 44 46 2D 31 2E 31 |", depth 8, offset 0; gid:4; sid:159; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 284, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.2"; file_data; content:"| 25 50 44 46 2D 31 2E 32 |", depth 8, offset 0; gid:4; sid:160; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 285, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.3"; file_data; content:"| 25 50 44 46 2D 31 2E 33 |", depth 8, offset 0; gid:4; sid:161; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 286, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.4"; file_data; content:"| 25 50 44 46 2D 31 2E 34 |", depth 8, offset 0; gid:4; sid:162; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 287, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.5"; file_data; content:"| 25 50 44 46 2D 31 2E 35 |", depth 8, offset 0; gid:4; sid:163; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 288, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.6"; file_data; content:"| 25 50 44 46 2D 31 2E 36 |", depth 8, offset 0; gid:4; sid:164; rev:1;) +file_id (msg:"PDF file "; file_meta:type PDF, id 289, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.7"; file_data; content:"| 25 50 44 46 2D 31 2E 37 |", depth 8, offset 0;gid:4; sid:165; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 290, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 30 |", depth 2, offset 7; gid:4; sid:166; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 291, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 31 |", depth 2, offset 7; gid:4; sid:167; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 292, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 32 |", depth 2, offset 7; gid:4; sid:168; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 293, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 33 |", depth 2, offset 7; gid:4; sid:169; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 294, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 34 |", depth 2, offset 7; gid:4; sid:170; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 295, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 35 |", depth 2, offset 7; gid:4; sid:171; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 296, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 32 30 |", depth 2, offset 7; gid:4; sid:172; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 297, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 32 32 |", depth 2, offset 7; gid:4; sid:173; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 298, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 30 |", depth 2, offset 7; gid:4; sid:174; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 300, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 31 |", depth 2, offset 7; gid:4; sid:175; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 301, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 32 |", depth 2, offset 7; gid:4; sid:176; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 302, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 33 |", depth 2, offset 7; gid:4; sid:177; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 303, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 34 |", depth 2, offset 7; gid:4; sid:178; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 304, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 35 |", depth 2, offset 7; gid:4; sid:179; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 306, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 32 32 |", depth 2, offset 7; gid:4; sid:180; rev:1;) +file_id (msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 307, category "System files"; file_data; content:"| FF FE |", depth 2, offset 0; gid:4; sid:181; rev:1;) +file_id (msg:"Proprietary layout engine for Microsoft Internet Explorer"; file_meta:type MSHTML, id 308, category "Office Documents"; file_data; content:"| 3D 22 2D 2D 2D 2D 3D 5F |", depth 8, offset 60; gid:4; sid:182; rev:1;) +file_id (msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 310, category "System files"; file_data; content:"| EF BB BF |", depth 3, offset 0; gid:4; sid:183; rev:1;) +file_id (msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 311, category "System files"; file_data; content:"| 54 79 70 65 3D 45 78 65 |", depth 8, offset 0; gid:4; sid:184; rev:1;) +file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 313, category "Multimedia"; file_data; content:"| 66 74 79 70 64 61 73 68 |", depth 8, offset 4; gid:4; sid:185; rev:1;) +file_id (msg:"Microsoft Windows Shortcut Files"; file_meta:type LNK, id 314, category "Executables"; file_data; content:"| 4C 00 00 00 01 14 02 00 |", depth 8, offset 0; gid:4; sid:186; rev:1;) +file_id (msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 315, category "Executables"; file_data; content:"| 44 43 4E 01 |", depth 4, offset 0; gid:4; sid:187; rev:1;) +file_id (msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 316, category "Executables"; file_data; content:"| 44 43 44 01 |", depth 4, offset 0; gid:4; sid:188; rev:1;) +file_id (msg:"Matroska stream file"; file_meta:type MKV, id 317, category "Multimedia"; file_data; content:"| 1A 45 DF A3 01 00 00 00 00 00 00 23 42 86 81 01 |", depth 16, offset 0; gid:4; sid:189; rev:1;) +file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 16, category "Multimedia"; file_data; content:"| 44 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:190; rev:1;) +file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 17, category "Multimedia"; file_data; content:"| 30 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:191; rev:1;) +file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 18, category "Multimedia"; file_data; content:"| 31 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:192; rev:1;) +file_id (msg:"Windows NT registry hive (REG)"; file_meta:type NTHIVE, id 161, category "System files"; file_data; content:"| 72 65 67 66 |", depth 4, offset 0; gid:4; sid:193; rev:1;) +file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 305, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 32 30 |", depth 2, offset 7; gid:4; sid:194; rev:1;) +file_id (msg:"Java archive file"; file_meta:type JAR, id 318, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 63 6F 6E 74 65 6E 74 2F |", depth 8, offset 30; gid:4; sid:195; rev:1;) +file_id (msg:"Java archive file"; file_meta:type JAR, id 319, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 6F 70 74 69 6F 6E 73 2F |", depth 8, offset 30; gid:4; sid:196; rev:1;) +file_id (msg:"WinRAR compressed archive file"; file_meta:type RAR, id 320, category "Archive", version "1.1"; file_data; content:"| 52 61 72 21 1A 07 01 00 |", depth 8, offset 0; gid:4; sid:197; rev:1;) +file_id (msg:"Archive file for Microsoft created using software ALZip"; file_meta:type ALZ, id 321, category "Archive"; file_data; content:"| 41 4C 5A 01 |", depth 4, offset 0; gid:4; sid:198; rev:1;) +file_id (msg:"Archive File for Microsoft created using software ALZip"; file_meta:type EGG, id 322, category "Archive"; file_data; content:"| 45 47 47 41 |", depth 4, offset 0; gid:4; sid:199; rev:1;) +file_id (msg:"Hangul word processor file"; file_meta:type HWP, id 323, category "Office Documents", version "3.0"; file_data; content:"| 48 57 50 20 44 6F 63 75 6D 65 6E 74 20 46 69 6C 65 |", depth 17, offset 0; gid:4; sid:200; rev:1;) +file_id (msg:"Flash file"; file_meta:type SWF, id 324, category "Multimedia"; file_data; content:"| 5A 57 53 |", depth 3, offset 0; gid:4; sid:201; rev:1;) +file_id (msg:"Packet capture file"; file_meta:type PCAP, id 325, category "System files"; file_data; content:"| 0A 0D 0D 0A |", depth 4, offset 0; gid:4; sid:202; rev:1;) +file_id (msg:"Flash file "; file_meta:type SWF, id 54, category "Multimedia"; file_data; content:"| 58 46 49 52 |", depth 4, offset 0; gid:4; sid:203; rev:1;) +file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (PPTX)"; file_meta:type PPTX, id 326, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 70 70 74 2f |", depth 4, offset 30; gid:4; sid:204; rev:1;) +file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX)"; file_meta:type DOCX, id 327, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 77 6f 72 64 2f |", depth 5, offset 30; gid:4; sid:205; rev:1;) +file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (XLSX)"; file_meta:type XLSX, id 328, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 78 6c 2f |", depth 3, offset 30; gid:4; sid:206; rev:1;) +file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 329, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e |", depth 16, offset 30; gid:4; sid:207; rev:1;) +file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 330, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 5f 72 65 6c 73 2f |", depth 6, offset 30; gid:4; sid:208; rev:1;) +file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 331, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 64 6f 63 50 72 6f 70 73 2f |", depth 9, offset 30; gid:4; sid:209; rev:1;) +file_id (msg:"Audio Interchange File Format"; file_meta:type AIF, id 345, category "Multimedia"; file_data; content:"| 46 4F 52 40 |", depth 4, offset 0; gid:4; sid:210; rev:1;) +file_id (msg:"Audio Interchange File Format"; file_meta:type AIF, id 346, category "Multimedia"; file_data; content:"| 41 49 46 46 |", depth 4, offset 8; gid:4; sid:211; rev:1;) +file_id (msg:"Debian package file"; file_meta:type DEB, id 333, category "System files"; file_data; content:"| 21 3C 61 72 |", depth 4, offset 0; gid:4; sid:212; rev:1;) +file_id (msg:"Windows Cursor file"; file_meta:type CUR, id 337, category "System files"; file_data; content:"| 00 00 02 00 02 00 30 30 00 00 01 |", depth 11, offset 0; gid:4; sid:216; rev:1;) +file_id (msg:"Audio Video Interleave"; file_meta:type AVI, id 339, category "Multimedia"; file_data; content:"| 41 56 49 |", depth 3, offset 8; gid:4; sid:218; rev:1;) +file_id (msg:"Sound file"; file_meta:type SND, id 340, category "Multimedia"; file_data; content:"| 73 6E 64 |", depth 3, offset 1; gid:4; sid:219; rev:1;) +file_id (msg:"MPEG-4 Audio"; file_meta:type M4A, id 341, category "Multimedia"; file_data; content:"| 4D 34 41 |", depth 3, offset 8; gid:4; sid:220; rev:1;) +file_id (msg:"Video Object file, audio container in DVD media"; file_meta:type VOB, id 342, category "Multimedia"; file_data; content:"| 00 00 01 BA 44 |", depth 5, offset 0; gid:4; sid:221; rev:1;) +file_id (msg:"Windows Media Video"; file_meta:type WMV, id 343, category "Multimedia"; file_data; content:"| 30 26 B2 75 |", depth 4, offset 0; gid:4; sid:222; rev:1;) +file_id (msg:"iTunes video file"; file_meta:type M5V, id 344, category "Multimedia"; file_data; content:"| 4D 34 56 |", depth 3, offset 8; gid:4; sid:223; rev:1;) +file_id (msg:"Executable script"; file_meta:type UNIX_SCRIPT, id 347, category "Executables"; file_data; content:"| 23 21 2F |", depth 3, offset 0; gid:4; sid:224; rev:1;) diff --git a/snort-conf/inline.lua b/snort-conf/inline.lua new file mode 100644 index 0000000..132bc8a --- /dev/null +++ b/snort-conf/inline.lua @@ -0,0 +1,20 @@ +--------------------------------------------------------------------------- +-- inline test tweaks +-- use with --tweaks inline +--------------------------------------------------------------------------- + +daq = +{ + modules = + { + { + name = 'pcap', + mode = 'read-file' + }, + { + name = 'dump', + variables = { 'output=none' } + }, + }, +} + diff --git a/snort-conf/max_detect.lua b/snort-conf/max_detect.lua new file mode 100644 index 0000000..7e6ff3a --- /dev/null +++ b/snort-conf/max_detect.lua @@ -0,0 +1,48 @@ +--------------------------------------------------------------------------- +-- maximum detection policy +-- this will yield lowest throughput +-- use with -c snort.lua --tweaks max_detect +--------------------------------------------------------------------------- + +arp_spoof = nil + +ftp_server.check_encrypted = true + +detection = +{ + pcre_match_limit = 3500, + pcre_match_limit_recursion = 3500, + + -- enable for hyperscan for best throughput + -- use multiple packet threads for fast startup + --hyperscan_literals = true, + --pcre_to_regex = true +} + +http_inspect.decompress_pdf = true +http_inspect.decompress_swf = true +http_inspect.decompress_zip = true +http_inspect.percent_u = true +http_inspect.normalize_javascript = true + +imap.decompress_pdf = true +imap.decompress_swf = true +imap.decompress_zip = true + +pop.decompress_pdf = true +pop.decompress_swf = true +pop.decompress_zip = true + +port_scan = nil + +search_engine.detect_raw_tcp = true + +smtp.decompress_pdf = true +smtp.decompress_swf = true +smtp.decompress_zip = true + +stream_ip.min_frag_length = 100 + +telnet.check_encrypted = true +telnet.normalize = true + diff --git a/snort-conf/security.lua b/snort-conf/security.lua new file mode 100644 index 0000000..c4d7b3c --- /dev/null +++ b/snort-conf/security.lua @@ -0,0 +1,38 @@ +--------------------------------------------------------------------------- +-- enhanced security policy +-- use with -c snort.lua --tweaks security +--------------------------------------------------------------------------- + +arp_spoof = nil + +ftp_server.check_encrypted = true + +detection = +{ + pcre_match_limit = 3500, + pcre_match_limit_recursion = 3500 +} + +http_inspect.decompress_pdf = true +http_inspect.decompress_swf = true +http_inspect.decompress_zip = true + +imap.decompress_pdf = true +imap.decompress_swf = true +imap.decompress_zip = true + +pop.decompress_pdf = true +pop.decompress_swf = true +pop.decompress_zip = true + +port_scan = nil + +smtp.decompress_pdf = true +smtp.decompress_swf = true +smtp.decompress_zip = true + +stream_ip.min_frag_length = 100 + +telnet.check_encrypted = true +telnet.normalize = true + diff --git a/snort-conf/sensitive_data.rules b/snort-conf/sensitive_data.rules new file mode 100644 index 0000000..3a7b829 --- /dev/null +++ b/snort-conf/sensitive_data.rules @@ -0,0 +1,25 @@ +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; flow:only_stream; pkt_data; sd_pattern:"credit_card", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:1; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; file_data; sd_pattern:"credit_card", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:2; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_uri; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:3; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_header; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:4; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_client_body; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:5; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; flow:only_stream; pkt_data; sd_pattern:"us_social", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:6; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; file_data; sd_pattern:"us_social", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:7; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_uri; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:8; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_header; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:9; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_client_body; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:10; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; flow:only_stream; pkt_data; sd_pattern:"us_social_nodashes", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:11; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; file_data; sd_pattern:"us_social_nodashes", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:12; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_uri; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:13; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_header; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:14; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_client_body; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:15; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; flow:only_stream; pkt_data; sd_pattern:"email", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:16; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; file_data; sd_pattern:"email", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:17; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_uri; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:18; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_header; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:19; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_client_body; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:20; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; flow:only_stream; pkt_data; sd_pattern:"us_phone", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:21; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; file_data; sd_pattern:"us_phone", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:22; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_uri; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:23; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_header; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:24; rev:1; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_client_body; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:25; rev:1; ) diff --git a/snort-conf/snort.lua b/snort-conf/snort.lua new file mode 100644 index 0000000..9fef7e0 --- /dev/null +++ b/snort-conf/snort.lua @@ -0,0 +1,283 @@ +--------------------------------------------------------------------------- +-- Snort++ configuration +--------------------------------------------------------------------------- + +-- there are over 200 modules available to tune your policy. +-- many can be used with defaults w/o any explicit configuration. +-- use this conf as a template for your specific configuration. + +-- 1. configure defaults +-- 2. configure inspection +-- 3. configure bindings +-- 4. configure performance +-- 5. configure detection +-- 6. configure filters +-- 7. configure outputs +-- 8. configure tweaks + +--------------------------------------------------------------------------- +-- 1. configure defaults +--------------------------------------------------------------------------- + +-- HOME_NET and EXTERNAL_NET must be set now +-- setup the network addresses you are protecting +HOME_NET = '172.20.0.0/24' + +-- set up the external network addresses. +-- (leave as "any" in most situations) +EXTERNAL_NET = '!$HOME_NET' + +include 'snort_defaults.lua' + +--------------------------------------------------------------------------- +-- 2. configure inspection +--------------------------------------------------------------------------- + +-- mod = { } uses internal defaults +-- you can see them with snort --help-module mod + +-- mod = default_mod uses external defaults +-- you can see them in snort_defaults.lua + +-- the following are quite capable with defaults: + +stream = { } +stream_ip = { } +stream_icmp = { } +stream_tcp = { } +stream_udp = { } +stream_user = { } +stream_file = { } + +arp_spoof = { } +back_orifice = { } +dns = { } +imap = { } +netflow = {} +normalizer = { } +pop = { } +rpc_decode = { } +sip = { } +ssh = { } +ssl = { } +telnet = { } + +cip = { } +dnp3 = { } +iec104 = { } +mms = { } +modbus = { } +s7commplus = { } + +dce_smb = { } +dce_tcp = { } +dce_udp = { } +dce_http_proxy = { } +dce_http_server = { } + +-- see snort_defaults.lua for default_* +gtp_inspect = default_gtp +port_scan = default_med_port_scan +smtp = default_smtp + +ftp_server = default_ftp_server +ftp_client = { } +ftp_data = { } + +http_inspect = { } +http2_inspect = { } + +-- see file_magic.rules for file id rules +file_id = { rules_file = 'file_magic.rules' } +file_policy = { } + +js_norm = default_js_norm + +-- the following require additional configuration to be fully effective: + +appid = +{ + -- appid requires this to use appids in rules + --app_detector_dir = 'directory to load appid detectors from' + app_detector_dir = '/usr/local/lib', + log_stats = true, + +} + +--[[ +reputation = +{ + -- configure one or both of these, then uncomment reputation + -- (see also related path vars at the top of snort_defaults.lua) + + --blacklist = 'blacklist file name with ip lists' + --whitelist = 'whitelist file name with ip lists' +} +--]] + +--------------------------------------------------------------------------- +-- 3. configure bindings +--------------------------------------------------------------------------- + +wizard = default_wizard + +binder = +{ + -- port bindings required for protocols without wizard support + { when = { proto = 'udp', ports = '53', role='server' }, use = { type = 'dns' } }, + { when = { proto = 'tcp', ports = '53', role='server' }, use = { type = 'dns' } }, + { when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } }, + { when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } }, + { when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } }, + { when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } }, + { when = { proto = 'udp', ports = '2222', role = 'server' }, use = { type = 'cip' } }, + { when = { proto = 'tcp', ports = '44818', role = 'server' }, use = { type = 'cip' } }, + + { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } }, + { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } }, + { when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } }, + + { when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } }, + { when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } }, + { when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } }, + + { when = { service = 'cip' }, use = { type = 'cip' } }, + { when = { service = 'dnp3' }, use = { type = 'dnp3' } }, + { when = { service = 'dns' }, use = { type = 'dns' } }, + { when = { service = 'ftp' }, use = { type = 'ftp_server' } }, + { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } }, + { when = { service = 'gtp' }, use = { type = 'gtp_inspect' } }, + { when = { service = 'imap' }, use = { type = 'imap' } }, + { when = { service = 'http' }, use = { type = 'http_inspect' } }, + { when = { service = 'http2' }, use = { type = 'http2_inspect' } }, + { when = { service = 'iec104' }, use = { type = 'iec104' } }, + { when = { service = 'mms' }, use = { type = 'mms' } }, + { when = { service = 'modbus' }, use = { type = 'modbus' } }, + { when = { service = 'pop3' }, use = { type = 'pop' } }, + { when = { service = 'ssh' }, use = { type = 'ssh' } }, + { when = { service = 'sip' }, use = { type = 'sip' } }, + { when = { service = 'smtp' }, use = { type = 'smtp' } }, + { when = { service = 'ssl' }, use = { type = 'ssl' } }, + { when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } }, + { when = { service = 's7commplus' }, use = { type = 's7commplus' } }, + { when = { service = 'telnet' }, use = { type = 'telnet' } }, + + { use = { type = 'wizard' } } +} + +--------------------------------------------------------------------------- +-- 4. configure performance +--------------------------------------------------------------------------- + +-- use latency to monitor / enforce packet and rule thresholds +--latency = { } + +-- use these to capture perf data for analysis and tuning +--profiler = { } +--perf_monitor = { } + +--------------------------------------------------------------------------- +-- 5. configure detection +--------------------------------------------------------------------------- + +references = default_references +classifications = default_classifications + +ips = +{ + -- use this to enable decoder and inspector alerts + --enable_builtin_rules = true, + + -- use include for rules files; be sure to set your path + -- note that rules files can include other rules files + -- (see also related path vars at the top of snort_defaults.lua) + + variables = default_variables +} + +-- use these to configure additional rule actions +-- react = { } +-- reject = { } + +-- use this to enable payload injection utility +-- payload_injector = { } + +--------------------------------------------------------------------------- +-- 6. configure filters +--------------------------------------------------------------------------- + +-- below are examples of filters +-- each table is a list of records + +--[[ +suppress = +{ + -- don't want to any of see these + { gid = 1, sid = 1 }, + + -- don't want to see anything for a given host + { track = 'by_dst', ip = '1.2.3.4' } + + -- don't want to see these for a given host + { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' }, +} +--]] + +--[[ +event_filter = +{ + -- reduce the number of events logged for some rules + { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 }, + { gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 }, +} +--]] + +--[[ +rate_filter = +{ + -- alert on connection attempts from clients in SOME_NET + { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1, + new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' }, + + -- alert on connections to servers over threshold + { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3, + new_action = 'alert', timeout = 1 }, +} +--]] + +--------------------------------------------------------------------------- +-- 7. configure outputs +--------------------------------------------------------------------------- + +-- event logging +-- you can enable with defaults from the command line with -A +-- uncomment below to set non-default configs +--alert_csv = { } +alert_fast = { + file = true, + packet = false, + limit = 10, +} +--alert_full = { } +--alert_sfsocket = { } +--alert_syslog = { } +--unified2 = { } + +-- packet logging +-- you can enable with defaults from the command line with -L +--log_codecs = { } +--log_hext = { } +--log_pcap = { } + +-- additional logs +--packet_capture = { } +--file_log = { } + +--------------------------------------------------------------------------- +-- 8. configure tweaks +--------------------------------------------------------------------------- + +if ( tweaks ~= nil ) then + include(tweaks .. '.lua') +end + diff --git a/snort-conf/snort_defaults.lua b/snort-conf/snort_defaults.lua new file mode 100644 index 0000000..33f90bd --- /dev/null +++ b/snort-conf/snort_defaults.lua @@ -0,0 +1,1401 @@ +--------------------------------------------------------------------------- +-- Snort++ defaults +--------------------------------------------------------------------------- + +-- this file defines the external defaults for Snort. all simple scalar +-- types have a builtin default, including those in list items, however +-- lists defaults are provided here instead of compiling them into the +-- binary. this makes it easier to copy and paste or edit for your +-- environment. + +-- include in your snort.lua +-- after you set HOME_NET and EXTERNAL_NET + +-- use these by assignment, eg +-- ftp_server = default_ftp_server + +--------------------------------------------------------------------------- +-- default paths - used in Talos configs +--------------------------------------------------------------------------- + +-- Path to your rules files (this can be a relative path) +RULE_PATH = '../rules' +BUILTIN_RULE_PATH = '../builtin_rules' +PLUGIN_RULE_PATH = '../so_rules' + +-- If you are using reputation preprocessor set these +WHITE_LIST_PATH = '../lists' +BLACK_LIST_PATH = '../lists' + +--------------------------------------------------------------------------- +-- default networks - used in Talos rules +--------------------------------------------------------------------------- +-- define servers on your network you want to protect + +DNS_SERVERS = HOME_NET +FTP_SERVERS = HOME_NET +HTTP_SERVERS = HOME_NET +SIP_SERVERS = HOME_NET +SMTP_SERVERS = HOME_NET +SQL_SERVERS = HOME_NET +SSH_SERVERS = HOME_NET +TELNET_SERVERS = HOME_NET + +--------------------------------------------------------------------------- +-- default ports - used in Talos rules +--------------------------------------------------------------------------- +-- define ports on your network you want to protect +-- where possible, use the wizard for inspection instead of explicit port +-- bindings. this gives you some port independence and allows you find c&c +-- channels hard port bindings would miss. Talos rules will still use these +-- ports if there is no match on service. + +FTP_PORTS = ' 21 2100 3535' + +HTTP_PORTS = +[[ + 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 + 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 + 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 + 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 + 50002 55555 +]] + +MAIL_PORTS = ' 110 143' + +ORACLE_PORTS = ' 1024:' + +SIP_PORTS = ' 5060 5061 5600' + +SSH_PORTS = ' 22' + +FILE_DATA_PORTS = HTTP_PORTS .. MAIL_PORTS + +--------------------------------------------------------------------------- +-- default variables +--------------------------------------------------------------------------- + +default_variables = +{ + nets = + { + HOME_NET = HOME_NET, + EXTERNAL_NET = EXTERNAL_NET, + DNS_SERVERS = DNS_SERVERS, + FTP_SERVERS = FTP_SERVERS, + HTTP_SERVERS = HTTP_SERVERS, + SIP_SERVERS = SIP_SERVERS, + SMTP_SERVERS = SMTP_SERVERS, + SQL_SERVERS = SQL_SERVERS, + SSH_SERVERS = SSH_SERVERS, + TELNET_SERVERS = TELNET_SERVERS, + }, + paths = + { + RULE_PATH = RULE_PATH, + BUILTIN_RULE_PATH = BUILTIN_RULE_PATH, + PLUGIN_RULE_PATH = PLUGIN_RULE_PATH, + WHITE_LIST_PATH = WHITE_LIST_PATH, + BLACK_LIST_PATH = BLACK_LIST_PATH, + }, + ports = + { + FTP_PORTS = FTP_PORTS, + HTTP_PORTS = HTTP_PORTS, + MAIL_PORTS = MAIL_PORTS, + ORACLE_PORTS = ORACLE_PORTS, + SIP_PORTS = SIP_PORTS, + SSH_PORTS = SSH_PORTS, + FILE_DATA_PORTS = FILE_DATA_PORTS, + } +} + +--------------------------------------------------------------------------- +-- default ftp server +--------------------------------------------------------------------------- + +ftp_default_cmds = +[[ + ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP CEL CLNT CMD CONF CWD DELE ENC + EPRT EPSV ESTA ESTP FEAT HELP LANG LIST LPRT LPSV MACB MAIL MDTM MIC + MKD MLSD MLST MODE NLST NOOP OPTS PASS PASV PBSZ PORT PROT PWD QUIT + REIN REST RETR RMD RNFR RNTO SDUP SITE SIZE SMNT STAT STOR STOU STRU + SYST TEST TYPE USER XCUP XCRC XCWD XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ + XSEM XSEN XSHA1 XSHA256 +]] + +ftp_default_data_chan_cmds = +[[ + PORT PASV LPRT LPSV EPRT EPSV +]] + +ftp_default_data_xfer_cmds = +[[ + RETR STOR STOU APPE LIST NLST +]] + +ftp_default_file_put_cmds = +[[ + STOR STOU APPE +]] + +ftp_default_file_get_cmds = +[[ + RETR +]] + +ftp_default_login_cmds = +[[ + USER PASS +]] + +ftp_default_encr_cmds = +[[ + AUTH +]] + +ftp_format_commands = +[[ + ACCT ADAT ALLO APPE AUTH CEL CLNT CMD CONF CWD DELE ENC EPRT EPSV ESTP + HELP LANG LIST LPRT MACB MAIL MDTM MIC MKD MLSD MLST MODE NLST OPTS + PASS PBSZ PORT PROT REST RETR RMD RNFR RNTO SDUP SITE SIZE SMNT STAT + STOR STRU TEST TYPE USER XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ XSEM + XSEN XSHA1 XSHA256 +]] + +ftp_command_specs = +{ + { command = 'ABOR', length = 0 }, + { command = 'CCC', length = 0 }, + { command = 'CDUP', length = 0 }, + { command = 'ESTA', length = 0 }, + { command = 'FEAT', length = 0 }, + { command = 'LPSV', length = 0 }, + { command = 'NOOP', length = 0 }, + { command = 'PASV', length = 0 }, + { command = 'PWD', length = 0 }, + { command = 'QUIT', length = 0 }, + { command = 'REIN', length = 0 }, + { command = 'SYST', length = 0 }, + { command = 'XCUP', length = 0 }, + { command = 'XPWD', length = 0 }, + + { command = 'APPE', length = 200 }, + { command = 'CMD', length = 200 }, + { command = 'HELP', length = 200 }, + { command = 'NLST', length = 200 }, + { command = 'RETR', length = 200 }, + { command = 'RNFR', length = 200 }, + { command = 'STOR', length = 200 }, + { command = 'STOU', length = 200 }, + { command = 'XMKD', length = 200 }, + + { command = 'CWD', length = 256 }, + { command = 'RNTO', length = 256 }, + { command = 'SIZE', length = 512 }, + + { command = 'ALLO', length = 200, format = '< int [ char R int ] >' }, + { command = 'EPRT', length = 400, format = '< extd_host_port >' }, + { command = 'EPSV', format = "< [ { '1' | '2' | 'ALL' } ] >" }, + { command = 'LPRT', length = 400, format = '< long_host_port >' }, + { command = 'MACB', format = '< string >' }, + { command = 'MDTM', format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >' }, + { command = 'MODE', format = '< char ASBCZ >' }, + { command = 'PORT', length = 400, format = '< host_port >' }, + { command = 'PROT', format = '< char CSEP >' }, + { command = 'STRU', format = '< char FRPO [ string ] >' }, + { command = 'TYPE', format = '< { char AE [ char NTC ] | char I | char L [ number ] } >' } +} + +default_ftp_server = +{ + -- params not specified here get internal defaults + ftp_cmds = ftp_default_cmds, + data_chan_cmds = ftp_default_data_chan_cmds, + data_xfer_cmds = ftp_default_data_xfer_cmds, + file_put_cmds = ftp_default_file_put_cmds, + file_get_cmds = ftp_default_file_get_cmds, + login_cmds = ftp_default_login_cmds, + encr_cmds = ftp_default_encr_cmds, + chk_str_fmt = ftp_format_commands, + cmd_validity = ftp_command_specs +} + +--------------------------------------------------------------------------- +-- default smtp configuration +--------------------------------------------------------------------------- + +smtp_default_auth_cmds = +[[ + AUTH XAUTH X-EXPS +]] + +smtp_default_binary_data_cmds = +[[ + BDAT XEXCH50 +]] + +smtp_default_data_cmds = +[[ + DATA +]] + +smtp_default_normalize_cmds = +[[ + ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN + HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML STARTTLS + TICK TIME TURN TURNME VERB VRFY X-ADAT XADR XAUTH XCIR X-DRCP X-ERCP XEXCH50 + X-EXCH50 X-EXPS XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR +]] + +smtp_default_valid_cmds = smtp_default_normalize_cmds + +smtp_default_alt_max_command_lines = +{ + { command = 'ATRN', length = 255, }, + { command = 'AUTH', length = 246, }, + { command = 'BDAT', length = 255, }, + { command = 'DATA', length = 246, }, + { command = 'DEBUG', length = 255, }, + { command = 'EHLO', length = 500, }, + { command = 'EMAL', length = 255, }, + { command = 'ESAM', length = 255, }, + { command = 'ESND', length = 255, }, + { command = 'ESOM', length = 255, }, + { command = 'ETRN', length = 500, }, + { command = 'EVFY', length = 255, }, + { command = 'EXPN', length = 255, }, + { command = 'HELO', length = 500, }, + { command = 'HELP', length = 500, }, + { command = 'IDENT', length = 255, }, + { command = 'MAIL', length = 260, }, + { command = 'NOOP', length = 255, }, + { command = 'ONEX', length = 246, }, + { command = 'QUEU', length = 246, }, + { command = 'QUIT', length = 246, }, + { command = 'RCPT', length = 300, }, + { command = 'RSET', length = 255, }, + { command = 'SAML', length = 246, }, + { command = 'SEND', length = 246, }, + { command = 'SIZE', length = 255, }, + { command = 'SOML', length = 246, }, + { command = 'STARTTLS', length = 246, }, + { command = 'TICK', length = 246, }, + { command = 'TIME', length = 246, }, + { command = 'TURN', length = 246, }, + { command = 'TURNME', length = 246, }, + { command = 'VERB', length = 246, }, + { command = 'VRFY', length = 255, }, + { command = 'XADR', length = 246, }, + { command = 'XAUTH', length = 246, }, + { command = 'XCIR', length = 246, }, + { command = 'XEXCH50', length = 246, }, + { command = 'X-EXPS', length = 246, }, + { command = 'XGEN', length = 246, }, + { command = 'XLICENSE', length = 246, }, + { command = 'X-LINK2STATE', length = 246, }, + { command = 'XQUE', length = 246, }, + { command = 'XSTA', length = 246, }, + { command = 'XTRN', length = 246, }, + { command = 'XUSR', length = 246, } +} + +default_smtp = +{ + -- params not specified here get internal defaults + alt_max_command_line_len = smtp_default_alt_max_command_lines, + auth_cmds = smtp_default_auth_cmds, + binary_data_cmds = smtp_default_binary_data_cmds, + data_cmds = smtp_default_data_cmds, + normalize_cmds = smtp_default_normalize_cmds, + valid_cmds = smtp_default_valid_cmds, +} + +--------------------------------------------------------------------------- +-- default wizard +--------------------------------------------------------------------------- + +-- some HTTP and SIP methods match the whole start line to disambiguate +-- between them or, in the case of ACK, from another protocol +-- the * * patterns match unknown methods + +http_methods = +{ + 'GET', 'HEAD', 'POST', 'DELETE', 'TRACE', 'CONNECT', + 'VERSION_CONTROL', 'REPORT', 'CHECKOUT', 'CHECKIN', 'UNCHECKOUT', + 'MKWORKSPACE', 'LABEL', 'MERGE', 'BASELINE_CONTROL', + 'MKACTIVITY', 'ORDERPATCH', 'ACL', 'PATCH', 'BIND', 'LINK', + 'MKCALENDAR', 'MKREDIRECTREF', 'REBIND', 'UNBIND', 'UNLINK', + 'UPDATEREDIRECTREF', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'COPY', + 'MOVE', 'LOCK', 'UNLOCK', 'SEARCH', 'BCOPY', 'BDELETE', 'BMOVE', + 'BPROPFIND', 'BPROPPATCH', 'POLL', 'UNSUBSCRIBE', 'X_MS_ENUMATTS', + 'NOTIFY * HTTP/', 'OPTIONS * HTTP/', 'SUBSCRIBE * HTTP/', 'UPDATE * HTTP/', + 'PUT * HTTP/', '* * HTTP/' +} + +sip_requests = +{ + 'INVITE', 'CANCEL', 'BYE', 'REGISTER', 'PRACK', 'PUBLISH', 'REFER', 'INFO', 'MESSAGE', + 'NOTIFY * SIP/', 'OPTIONS * SIP/', 'SUBSCRIBE * SIP/', 'UPDATE * SIP/', + 'ACK * SIP/', '* * SIP/' +} + +telnet_commands = +{ + '|FF F0|', '|FF F1|', '|FF F2|', '|FF F3|', + '|FF F4|', '|FF F5|', '|FF F6|', '|FF F7|', + '|FF F8|', '|FF F9|', '|FF FA|', '|FF FB|', + '|FF FC|', '|FF FD|', '|FF FE|' +} + + +netflow_versions = +{ + '|00 05|', '|00 09|' +} + +default_wizard = +{ + spells = + { + { service = 'ftp', proto = 'tcp', + to_client = { '220*FTP', '220*FileZilla' } }, + + { service = 'http', proto = 'tcp', + to_server = http_methods, to_client = { 'HTTP/' } }, + + { service = 'imap', proto = 'tcp', + to_client = { '** OK', '** BYE', '** PREAUTH' } }, + + { service = 'pop3', proto = 'tcp', + to_client = { '+OK', '-ERR' } }, + + { service = 'sip', + to_server = sip_requests, to_client = { 'SIP/' } }, + + { service = 'smtp', proto = 'tcp', + to_server = { 'HELO', 'EHLO' }, + to_client = { '220*SMTP', '220*MAIL' } }, + + { service = 'ssh', proto = 'tcp', + to_server = { 'SSH-' }, to_client = { 'SSH-' } }, + + { service = 'dce_http_server', proto = 'tcp', + to_client = { 'ncacn_http' } }, + + { service = 'dce_http_proxy', proto = 'tcp', + to_server = { 'RPC_CONNECT' } }, + + }, + hexes = + { + { service = 'dnp3', proto = 'tcp', + to_server = { '|05 64|' }, to_client = { '|05 64|' } }, + + { service = 'netflow', proto = 'udp', + to_server = netflow_versions }, + + { service = 'http2', proto = 'tcp', + to_client = { '???|04 00 00 00 00 00|' }, + to_server = { '|50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a 0d 0a 53 4d 0d 0a 0d 0a|' } }, + +--[[ + { service = 'modbus', proto = 'tcp', + to_server = { '??|0 0|' } }, + + { service = 'rpc', proto = 'tcp', + to_server = { '????|0 0 0 0 0 0 0 1|' }, + to_client = { '????|0 0 0 0 0 0 0 1|' } }, +--]] + + { service = 'ssl', proto = 'tcp', + to_server = { '|16 03|' }, to_client = { '|16 03|' } }, + + { service = 'telnet', proto = 'tcp', + to_server = telnet_commands, to_client = telnet_commands }, + }, + + curses = {'dce_udp', 'dce_tcp', 'dce_smb', 'mms', 's7commplus', 'sslv2'} +} + +--------------------------------------------------------------------------- +-- default references +--------------------------------------------------------------------------- + +default_references = +{ + { name = 'bugtraq', url = 'http://www.securityfocus.com/bid/' }, + { name = 'cve', url = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' }, + { name = 'arachNIDS', url = 'http://www.whitehats.com/info/IDS' }, + { name = 'osvdb', url = 'http://osvdb.org/show/osvdb/' }, + { name = 'McAfee', url = 'http://vil.nai.com/vil/content/v_' }, + { name = 'nessus', url = 'http://cgi.nessus.org/plugins/dump.php3?id=' }, + { name = 'url', url = 'http://' }, + { name = 'msb', url = 'http://technet.microsoft.com/en-us/security/bulletin/' } +} + +--------------------------------------------------------------------------- +-- default classifications +--------------------------------------------------------------------------- + +default_classifications = +{ + { name = 'not-suspicious', priority = 3, + text = 'Not Suspicious Traffic' }, + + { name = 'unknown', priority = 3, + text = 'Unknown Traffic' }, + + { name = 'bad-unknown', priority = 2, + text = 'Potentially Bad Traffic' }, + + { name = 'attempted-recon', priority = 2, + text = 'Attempted Information Leak' }, + + { name = 'successful-recon-limited', priority = 2, + text = 'Information Leak' }, + + { name = 'successful-recon-largescale', priority = 2, + text = 'Large Scale Information Leak' }, + + { name = 'attempted-dos', priority = 2, + text = 'Attempted Denial of Service' }, + + { name = 'successful-dos', priority = 2, + text = 'Denial of Service' }, + + { name = 'attempted-user', priority = 1, + text = 'Attempted User Privilege Gain' }, + + { name = 'unsuccessful-user', priority = 1, + text = 'Unsuccessful User Privilege Gain' }, + + { name = 'successful-user', priority = 1, + text = 'Successful User Privilege Gain' }, + + { name = 'attempted-admin', priority = 1, + text = 'Attempted Administrator Privilege Gain' }, + + { name = 'successful-admin', priority = 1, + text = 'Successful Administrator Privilege Gain' }, + + { name = 'rpc-portmap-decode', priority = 2, + text = 'Decode of an RPC Query' }, + + { name = 'shellcode-detect', priority = 1, + text = 'Executable code was detected' }, + + { name = 'string-detect', priority = 3, + text = 'A suspicious string was detected' }, + + { name = 'suspicious-filename-detect', priority = 2, + text = 'A suspicious filename was detected' }, + + { name = 'suspicious-login', priority = 2, + text = 'An attempted login using a suspicious username was detected' }, + + { name = 'system-call-detect', priority = 2, + text = 'A system call was detected' }, + + { name = 'tcp-connection', priority = 4, + text = 'A TCP connection was detected' }, + + { name = 'trojan-activity', priority = 1, + text = 'A Network Trojan was detected' }, + + { name = 'unusual-client-port-connection', priority = 2, + text = 'A client was using an unusual port' }, + + { name = 'network-scan', priority = 3, + text = 'Detection of a Network Scan' }, + + { name = 'denial-of-service', priority = 2, + text = 'Detection of a Denial of Service Attack' }, + + { name = 'non-standard-protocol', priority = 2, + text = 'Detection of a non-standard protocol or event' }, + + { name = 'protocol-command-decode', priority = 3, + text = 'Generic Protocol Command Decode' }, + + { name = 'web-application-activity', priority = 2, + text = 'Access to a potentially vulnerable web application' }, + + { name = 'web-application-attack', priority = 1, + text = 'Web Application Attack' }, + + { name = 'misc-activity', priority = 3, + text = 'Misc activity' }, + + { name = 'misc-attack', priority = 2, + text = 'Misc Attack' }, + + { name = 'icmp-event', priority = 3, + text = 'Generic ICMP event' }, + + { name = 'inappropriate-content', priority = 1, + text = 'Inappropriate Content was Detected' }, + + { name = 'policy-violation', priority = 1, + text = 'Potential Corporate Privacy Violation' }, + + { name = 'default-login-attempt', priority = 2, + text = 'Attempt to login by a default username and password' }, + + { name = 'sdf', priority = 2, + text = 'Sensitive Data' }, + + { name = 'file-format', priority = 1, + text = 'Known malicious file or file based exploit' }, + + { name = 'malware-cnc', priority = 1, + text = 'Known malware command and control traffic' }, + + { name = 'client-side-exploit', priority = 1, + text = 'Known client side exploit attempt' } +} + +--------------------------------------------------------------------------- +-- gtp defaults +--------------------------------------------------------------------------- + +gtp_v0_msg = +{ + { type = 1, name = "echo_request" }, + { type = 2, name = "echo_response" }, + { type = 3, name = "version_not_supported" }, + { type = 4, name = "node_alive_request" }, + { type = 5, name = "node_alive_response" }, + { type = 6, name = "redirection_request" }, + { type = 7, name = "redirection_response" }, + + { type = 16, name = "create_pdp_context_request" }, + { type = 17, name = "create_pdp_context_response" }, + { type = 18, name = "update_pdp_context_request" }, + { type = 19, name = "update_pdp_context_response" }, + { type = 20, name = "delete_pdp_context_request" }, + { type = 21, name = "delete_pdp_context_response" }, + { type = 22, name = "create_aa_pdp_context_request" }, + { type = 23, name = "create_aa_pdp_context_response" }, + { type = 24, name = "delete_aa_pdp_context_request" }, + { type = 25, name = "delete_aa_pdp_context_response" }, + { type = 26, name = "error_indication" }, + { type = 27, name = "pdu_notification_request" }, + { type = 28, name = "pdu_notification_response" }, + { type = 29, name = "pdu_notification_reject_request" }, + { type = 30, name = "pdu_notification_reject_response" }, + + { type = 32, name = "send_routing_info_request" }, + { type = 33, name = "send_routing_info_response" }, + { type = 34, name = "failure_report_request" }, + { type = 35, name = "failure_report_response" }, + { type = 36, name = "note_ms_present_request" }, + { type = 37, name = "note_ms_present_response" }, + + { type = 48, name = "identification_request" }, + { type = 49, name = "identification_response" }, + { type = 50, name = "sgsn_context_request" }, + { type = 51, name = "sgsn_context_response" }, + { type = 52, name = "sgsn_context_ack" }, + + { type = 240, name = "data_record_transfer_request" }, + { type = 241, name = "data_record_transfer_response" }, + + { type = 255, name = "pdu" }, +} + +gtp_v1_msg = +{ + { type = 1, name = "echo_request" }, + { type = 2, name = "echo_response" }, + { type = 3, name = "version_not_supported" }, + { type = 4, name = "node_alive_request" }, + { type = 5, name = "node_alive_response" }, + { type = 6, name = "redirection_request" }, + { type = 7, name = "redirection_response" }, + + { type = 16, name = "create_pdp_context_request" }, + { type = 17, name = "create_pdp_context_response" }, + { type = 18, name = "update_pdp_context_request" }, + { type = 19, name = "update_pdp_context_response" }, + { type = 20, name = "delete_pdp_context_request" }, + { type = 21, name = "delete_pdp_context_response" }, + { type = 22, name = "init_pdp_context_activation_request" }, + { type = 23, name = "init_pdp_context_activation_response" }, + + { type = 26, name = "error_indication" }, + { type = 27, name = "pdu_notification_request" }, + { type = 28, name = "pdu_notification_response" }, + { type = 29, name = "pdu_notification_reject_request" }, + { type = 30, name = "pdu_notification_reject_response" }, + { type = 31, name = "supported_ext_header_notification" }, + { type = 32, name = "send_routing_info_request" }, + { type = 33, name = "send_routing_info_response" }, + { type = 34, name = "failure_report_request" }, + { type = 35, name = "failure_report_response" }, + { type = 36, name = "note_ms_present_request" }, + { type = 37, name = "note_ms_present_response" }, + + { type = 48, name = "identification_request" }, + { type = 49, name = "identification_response" }, + { type = 50, name = "sgsn_context_request" }, + { type = 51, name = "sgsn_context_response" }, + { type = 52, name = "sgsn_context_ack" }, + { type = 53, name = "forward_relocation_request" }, + { type = 54, name = "forward_relocation_response" }, + { type = 55, name = "forward_relocation_complete" }, + { type = 56, name = "relocation_cancel_request" }, + { type = 57, name = "relocation_cancel_response" }, + { type = 58, name = "forward_srns_contex" }, + { type = 59, name = "forward_relocation_complete_ack" }, + { type = 60, name = "forward_srns_contex_ack" }, + + { type = 70, name = "ran_info_relay" }, + + { type = 96, name = "mbms_notification_request" }, + { type = 97, name = "mbms_notification_response" }, + { type = 98, name = "mbms_notification_reject_request" }, + { type = 99, name = "mbms_notification_reject_response" }, + { type = 100, name = "create_mbms_context_request" }, + { type = 101, name = "create_mbms_context_response" }, + { type = 102, name = "update_mbms_context_request" }, + { type = 103, name = "update_mbms_context_response" }, + { type = 104, name = "delete_mbms_context_request" }, + { type = 105, name = "delete_mbms_context_response" }, + + { type = 112, name = "mbms_register_request" }, + { type = 113, name = "mbms_register_response" }, + { type = 114, name = "mbms_deregister_request" }, + { type = 115, name = "mbms_deregister_response" }, + { type = 116, name = "mbms_session_start_request" }, + { type = 117, name = "mbms_session_start_response" }, + { type = 118, name = "mbms_session_stop_request" }, + { type = 119, name = "mbms_session_stop_response" }, + { type = 120, name = "mbms_session_update_request" }, + { type = 121, name = "mbms_session_update_response" }, + + { type = 128, name = "ms_info_change_request" }, + { type = 129, name = "ms_info_change_response" }, + + { type = 240, name = "data_record_transfer_request" }, + { type = 241, name = "data_record_transfer_response" }, + + { type = 254, name = "end_marker" }, + { type = 255, name = "pdu" }, +} + +gtp_v2_msg = +{ + { type = 1, name = "echo_request" }, + { type = 2, name = "echo_response" }, + { type = 3, name = "version_not_supported" }, + + { type = 32, name = "create_session_request" }, + { type = 33, name = "create_session_response" }, + { type = 34, name = "modify_bearer_request" }, + { type = 35, name = "modify_bearer_response" }, + { type = 36, name = "delete_session_request" }, + { type = 37, name = "delete_session_response" }, + { type = 38, name = "change_notification_request" }, + { type = 39, name = "change_notification_response" }, + + { type = 64, name = "modify_bearer_command" }, + { type = 65, name = "modify_bearer_failure_indication" }, + { type = 66, name = "delete_bearer_command" }, + { type = 67, name = "delete_bearer_failure_indication" }, + { type = 68, name = "bearer_resource_command" }, + { type = 69, name = "bearer_resource_failure_indication" }, + { type = 70, name = "downlink_failure_indication" }, + { type = 71, name = "trace_session_activation" }, + { type = 72, name = "trace_session_deactivation" }, + { type = 73, name = "stop_paging_indication" }, + + { type = 95, name = "create_bearer_request" }, + { type = 96, name = "create_bearer_response" }, + { type = 97, name = "update_bearer_request" }, + { type = 98, name = "update_bearer_response" }, + { type = 99, name = "delete_bearer_request" }, + { type = 100, name = "delete_bearer_response" }, + { type = 101, name = "delete_pdn_request" }, + { type = 102, name = "delete_pdn_response" }, + + { type = 128, name = "identification_request" }, + { type = 129, name = "identification_response" }, + { type = 130, name = "sgsn_context_request" }, + { type = 131, name = "sgsn_context_response" }, + { type = 132, name = "sgsn_context_ack" }, + { type = 133, name = "forward_relocation_request" }, + { type = 134, name = "forward_relocation_response" }, + { type = 135, name = "forward_relocation_complete" }, + { type = 136, name = "forward_relocation_complete_ack" }, + { type = 137, name = "forward_access" }, + { type = 138, name = "forward_access_ack" }, + { type = 139, name = "relocation_cancel_request" }, + { type = 140, name = "relocation_cancel_response" }, + { type = 141, name = "configuration_transfer_tunnel" }, + + { type = 149, name = "detach" }, + { type = 150, name = "detach_ack" }, + { type = 151, name = "cs_paging" }, + { type = 152, name = "ran_info_relay" }, + { type = 153, name = "alert_mme" }, + { type = 154, name = "alert_mme_ack" }, + { type = 155, name = "ue_activity" }, + { type = 156, name = "ue_activity_ack" }, + + { type = 160, name = "create_forward_tunnel_request" }, + { type = 161, name = "create_forward_tunnel_response" }, + { type = 162, name = "suspend" }, + { type = 163, name = "suspend_ack" }, + { type = 164, name = "resume" }, + { type = 165, name = "resume_ack" }, + { type = 166, name = "create_indirect_forward_tunnel_request" }, + { type = 167, name = "create_indirect_forward_tunnel_response" }, + { type = 168, name = "delete_indirect_forward_tunnel_request" }, + { type = 169, name = "delete_indirect_forward_tunnel_response" }, + { type = 170, name = "release_access_bearer_request" }, + { type = 171, name = "release_access_bearer_response" }, + + { type = 176, name = "downlink_data" }, + { type = 177, name = "downlink_data_ack" }, + + { type = 179, name = "pgw_restart" }, + { type = 180, name = "pgw_restart_ack" }, + + { type = 200, name = "update_pdn_request" }, + { type = 201, name = "update_pdn_response" }, + + { type = 211, name = "modify_access_bearer_request" }, + { type = 212, name = "modify_access_bearer_response" }, + + { type = 231, name = "mbms_session_start_request" }, + { type = 232, name = "mbms_session_start_response" }, + { type = 233, name = "mbms_session_update_request" }, + { type = 234, name = "mbms_session_update_response" }, + { type = 235, name = "mbms_session_stop_request" }, + { type = 236, name = "mbms_session_stop_response" }, +}; + +-- length = 0 indicates variable length + +gtp_v0_info = +{ + { type = 1, name = "cause", length = 2 }, + { type = 2, name = "imsi", length = 9 }, + { type = 3, name = "rai", length = 7 }, + { type = 4, name = "tlli", length = 5 }, + { type = 5, name = "p_tmsi", length = 5 }, + { type = 6, name = "qos", length = 4 }, + + { type = 8, name = "recording_required", length = 2 }, + { type = 9, name = "authentication", length = 29 }, + + { type = 11, name = "map_cause", length = 2 }, + { type = 12, name = "p_tmsi_sig", length = 4 }, + { type = 13, name = "ms_validated", length = 2 }, + { type = 14, name = "recovery", length = 2 }, + { type = 15, name = "selection_mode", length = 2 }, + { type = 16, name = "flow_label_data_1", length = 3 }, + { type = 17, name = "flow_label_signalling", length = 3 }, + { type = 18, name = "flow_label_data_2", length = 4 }, + { type = 19, name = "ms_unreachable", length = 2 }, + + { type = 127, name = "charge_id", length = 5 }, + { type = 128, name = "end_user_address", length = 0 }, + { type = 129, name = "mm_context", length = 0 }, + { type = 130, name = "pdp_context", length = 0 }, + { type = 131, name = "apn", length = 0 }, + { type = 132, name = "protocol_config", length = 0 }, + { type = 133, name = "gsn", length = 0 }, + { type = 134, name = "msisdn", length = 0 }, + + { type = 251, name = "charging_gateway_addr", length = 0 }, + + { type = 255, name = "private_extension", length = 0 }, +} + +gtp_v1_info = +{ + { type = 1, name = "cause", length = 2 }, + { type = 2, name = "imsi", length = 9 }, + { type = 3, name = "rai", length = 7 }, + { type = 4, name = "tlli", length = 5 }, + { type = 5, name = "p_tmsi", length = 5 }, + + { type = 8, name = "recording_required", length = 2 }, + { type = 9, name = "authentication", length = 29 }, + + { type = 11, name = "map_cause", length = 2 }, + { type = 12, name = "p_tmsi_sig", length = 4 }, + { type = 13, name = "ms_validated", length = 2 }, + { type = 14, name = "recovery", length = 2 }, + { type = 15, name = "selection_mode", length = 2 }, + { type = 16, name = "teid_1", length = 5 }, + { type = 17, name = "teid_control", length = 5 }, + { type = 18, name = "teid_2", length = 6 }, + { type = 19, name = "teardown_ind", length = 2 }, + { type = 20, name = "nsapi", length = 2 }, + { type = 21, name = "ranap", length = 2 }, + { type = 22, name = "rab_context", length = 10 }, + { type = 23, name = "radio_priority_sms", length = 2 }, + { type = 24, name = "radio_priority", length = 2 }, + { type = 25, name = "packet_flow_id", length = 3 }, + { type = 26, name = "charging_char", length = 3 }, + { type = 27, name = "trace_ref", length = 3 }, + { type = 28, name = "trace_type", length = 3 }, + { type = 29, name = "ms_unreachable", length = 2 }, + + { type =127, name = "charge_id", length = 5 }, + { type = 128, name = "end_user_address", length = 0 }, + { type = 129, name = "mm_context", length = 0 }, + { type = 130, name = "pdp_context", length = 0 }, + { type = 131, name = "apn", length = 0 }, + { type = 132, name = "protocol_config", length = 0 }, + { type = 133, name = "gsn", length = 0 }, + { type = 134, name = "msisdn", length = 0 }, + { type = 135, name = "qos", length = 0 }, + { type = 136, name = "authentication_qu", length = 0 }, + { type = 137, name = "tft", length = 0 }, + { type = 138, name = "target_id", length = 0 }, + { type = 139, name = "utran_trans", length = 0 }, + { type = 140, name = "rab_setup", length = 0 }, + { type = 141, name = "ext_header", length = 0 }, + { type = 142, name = "trigger_id", length = 0 }, + { type = 143, name = "omc_id", length = 0 }, + { type = 144, name = "ran_trans", length = 0 }, + { type = 145, name = "pdp_context_pri", length = 0 }, + { type = 146, name = "addi_rab_setup", length = 0 }, + { type = 147, name = "sgsn_number", length = 0 }, + { type = 148, name = "common_flag", length = 0 }, + { type = 149, name = "apn_restriction", length = 0 }, + { type = 150, name = "radio_priority_lcs", length = 4 }, + { type = 151, name = "rat_type", length = 0 }, + { type = 152, name = "user_loc_info", length = 0 }, + { type = 153, name = "ms_time_zone", length = 0 }, + { type = 154, name = "imei_sv", length = 0 }, + { type = 155, name = "camel", length = 0 }, + { type = 156, name = "mbms_ue_context", length = 0 }, + { type = 157, name = "tmp_mobile_group_id", length = 0 }, + { type = 158, name = "rim_routing_addr", length = 0 }, + { type = 159, name = "mbms_config", length = 0 }, + { type = 160, name = "mbms_service_area", length = 0 }, + { type = 161, name = "src_rnc_pdcp", length = 0 }, + { type = 162, name = "addi_trace_info", length = 0 }, + { type = 163, name = "hop_counter", length = 0 }, + { type = 164, name = "plmn_id", length = 0 }, + { type = 165, name = "mbms_session_id", length = 0 }, + { type = 166, name = "mbms_2g3g_indicator", length = 0 }, + { type = 167, name = "enhanced_nsapi", length = 0 }, + { type = 168, name = "mbms_session_duration", length = 0 }, + { type = 169, name = "addi_mbms_trace_info", length = 0 }, + { type = 170, name = "mbms_session_repetition_num", length = 0 }, + { type = 171, name = "mbms_time_to_data", length = 0 }, + + { type = 173, name = "bss", length = 0 }, + { type = 174, name = "cell_id", length = 0 }, + { type = 175, name = "pdu_num", length = 0 }, + { type = 177, name = "mbms_bearer_capab", length = 0 }, + { type = 178, name = "rim_routing_disc", length = 0 }, + { type = 179, name = "list_pfc", length = 0 }, + { type = 180, name = "ps_xid", length = 0 }, + { type = 181, name = "ms_info_change_report", length = 4 }, + { type = 182, name = "direct_tunnel_flags", length = 0 }, + { type = 183, name = "correlation_id", length = 0 }, + { type = 184, name = "bearer_control_mode", length = 0 }, + { type = 185, name = "mbms_flow_id", length = 0 }, + { type = 186, name = "mbms_ip_multicast", length = 0 }, + { type = 187, name = "mbms_distribution_ack", length = 4 }, + { type = 188, name = "reliable_inter_rat_handover", length = 0 }, + { type = 189, name = "rfsp_index", length = 0 }, + { type = 190, name = "fqdn", length = 0 }, + { type = 191, name = "evolved_allocation1", length = 0 }, + { type = 192, name = "evolved_allocation2", length = 0 }, + { type = 193, name = "extended_flags", length = 0 }, + { type = 194, name = "uci", length = 0 }, + { type = 195, name = "csg_info", length = 0 }, + { type = 196, name = "csg_id", length = 0 }, + { type = 197, name = "cmi", length = 4 }, + { type = 198, name = "apn_ambr", length = 0 }, + { type = 199, name = "ue_network", length = 0 }, + { type = 200, name = "ue_ambr", length = 0 }, + { type = 201, name = "apn_ambr_nsapi", length = 0 }, + { type = 202, name = "ggsn_backoff_timer", length = 0 }, + { type = 203, name = "signalling_priority_indication", length = 0 }, + { type = 204, name = "signalling_priority_indication_nsapi", length = 0 }, + { type = 205, name = "high_bitrate", length = 4 }, + { type = 206, name = "max_mbr", length = 0 }, + + { type = 251, name = "charging_gateway_addr", length = 0 }, + + { type = 255, name = "private_extension", length = 0 }, +} + +gtp_v2_info = +{ + { type = 1, name = "imsi", length = 0 }, + { type = 2, name = "cause", length = 0 }, + { type = 3, name = "recovery", length = 0 }, + + { type = 71, name = "apn", length = 0 }, + { type = 72, name = "ambr", length = 0 }, + { type = 73, name = "ebi", length = 0 }, + { type = 74, name = "ip_addr", length = 0 }, + { type = 75, name = "mei", length = 0 }, + { type = 76, name = "msisdn", length = 0 }, + { type = 77, name = "indication", length = 0 }, + { type = 78, name = "pco", length = 0 }, + { type = 79, name = "paa", length = 0 }, + { type = 80, name = "bearer_qos", length = 0 }, + { type = 81, name = "flow_qos", length = 0 }, + { type = 82, name = "rat_type", length = 0 }, + { type = 83, name = "serving_network", length = 0 }, + { type = 84, name = "bearer_tft", length = 0 }, + { type = 85, name = "tad", length = 0 }, + { type = 86, name = "uli", length = 0 }, + { type = 87, name = "f_teid", length = 0 }, + { type = 88, name = "tmsi", length = 0 }, + { type = 89, name = "cn_id", length = 0 }, + { type = 90, name = "s103pdf", length = 0 }, + { type = 91, name = "s1udf", length = 0 }, + { type = 92, name = "delay_value", length = 0 }, + { type = 93, name = "bearer_context", length = 0 }, + { type = 94, name = "charging_id", length = 0 }, + { type = 95, name = "charging_char", length = 0 }, + { type = 96, name = "trace_info", length = 0 }, + { type = 97, name = "bearer_flag", length = 0 }, + + { type = 99, name = "pdn_type", length = 0 }, + { type = 100, name = "pti", length = 0 }, + { type = 101, name = "drx_parameter", length = 0 }, + + { type = 103, name = "gsm_key_tri", length = 0 }, + { type = 104, name = "umts_key_cipher_quin", length = 0 }, + { type = 105, name = "gsm_key_cipher_quin", length = 0 }, + { type = 106, name = "umts_key_quin", length = 0 }, + { type = 107, name = "eps_quad", length = 0 }, + { type = 108, name = "umts_key_quad_quin", length = 0 }, + { type = 109, name = "pdn_connection", length = 0 }, + { type = 110, name = "pdn_number", length = 0 }, + { type = 111, name = "p_tmsi", length = 0 }, + { type = 112, name = "p_tmsi_sig", length = 0 }, + { type = 113, name = "hop_counter", length = 0 }, + { type = 114, name = "ue_time_zone", length = 0 }, + { type = 115, name = "trace_ref", length = 0 }, + { type = 116, name = "complete_request_msg", length = 0 }, + { type = 117, name = "guti", length = 0 }, + { type = 118, name = "f_container", length = 0 }, + { type = 119, name = "f_cause", length = 0 }, + { type = 120, name = "plmn_id", length = 0 }, + { type = 121, name = "target_id", length = 0 }, + + { type = 123, name = "packet_flow_id", length = 0 }, + { type = 124, name = "rab_contex", length = 0 }, + { type = 125, name = "src_rnc_pdcp", length = 0 }, + { type = 126, name = "udp_src_port", length = 0 }, + { type = 127, name = "apn_restriction", length = 0 }, + { type = 128, name = "selection_mode", length = 0 }, + { type = 129, name = "src_id", length = 0 }, + + { type = 131, name = "change_report_action", length = 0 }, + { type = 132, name = "fq_csid", length = 0 }, + { type = 133, name = "channel", length = 0 }, + { type = 134, name = "emlpp_pri", length = 0 }, + { type = 135, name = "node_type", length = 0 }, + { type = 136, name = "fqdn", length = 0 }, + { type = 137, name = "ti", length = 0 }, + { type = 138, name = "mbms_session_duration", length = 0 }, + { type = 139, name = "mbms_service_area", length = 0 }, + { type = 140, name = "mbms_session_id", length = 0 }, + { type = 141, name = "mbms_flow_id", length = 0 }, + { type = 142, name = "mbms_ip_multicast", length = 0 }, + { type = 143, name = "mbms_distribution_ack", length = 0 }, + { type = 144, name = "rfsp_index", length = 0 }, + { type = 145, name = "uci", length = 0 }, + { type = 146, name = "csg_info", length = 0 }, + { type = 147, name = "csg_id", length = 0 }, + { type = 148, name = "cmi", length = 0 }, + { type = 149, name = "service_indicator", length = 0 }, + { type = 150, name = "detach_type", length = 0 }, + { type = 151, name = "ldn", length = 0 }, + { type = 152, name = "node_feature", length = 0 }, + { type = 153, name = "mbms_time_to_transfer", length = 0 }, + { type = 154, name = "throttling", length = 0 }, + { type = 155, name = "arp", length = 0 }, + { type = 156, name = "epc_timer", length = 0 }, + { type = 157, name = "signalling_priority_indication", length = 0 }, + { type = 158, name = "tmgi", length = 0 }, + { type = 159, name = "mm_srvcc", length = 0 }, + { type = 160, name = "flags_srvcc", length = 0 }, + { type = 161, name = "mmbr", length = 0 }, + + { type = 255, name = "private_extension", length = 0 }, +} + +default_gtp = +{ + { version = 0, messages = gtp_v0_msg, infos = gtp_v0_info }, + { version = 1, messages = gtp_v1_msg, infos = gtp_v1_info }, + { version = 2, messages = gtp_v2_msg, infos = gtp_v2_info }, +} + +--------------------------------------------------------------------------- +-- port_scan defaults +--------------------------------------------------------------------------- + +tcp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 } +tcp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 } +tcp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 } +tcp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 } + +tcp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 } +tcp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 } +tcp_med_sweep = { scans = 30, rejects = 7, nets = 7, ports = 10 } +tcp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 } + +tcp_hi_ports = { scans = 200, rejects = 5, nets = 100, ports = 10 } +tcp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 } +tcp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 } +tcp_hi_dist = { scans = 200, rejects = 5, nets = 200, ports = 10 } + +udp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 } +udp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 } +udp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 } +udp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 } + +udp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 } +udp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 } +udp_med_sweep = { scans = 30, rejects = 5, nets = 5, ports = 20 } +udp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 } + +udp_hi_ports = { scans = 200, rejects = 3, nets = 100, ports = 10 } +udp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 } +udp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 } +udp_hi_dist = { scans = 200, rejects = 3, nets = 200, ports = 10 } + +ip_low_proto = { scans = 0, rejects = 10, nets = 10, ports = 50 } +ip_low_decoy = { scans = 0, rejects = 40, nets = 50, ports = 25 } +ip_low_sweep = { scans = 0, rejects = 10, nets = 10, ports = 10 } +ip_low_dist = { scans = 0, rejects = 15, nets = 25, ports = 50 } + +ip_med_proto = { scans = 200, rejects = 10, nets = 10, ports = 50 } +ip_med_decoy = { scans = 200, rejects = 40, nets = 50, ports = 25 } +ip_med_sweep = { scans = 30, rejects = 10, nets = 10, ports = 10 } +ip_med_dist = { scans = 200, rejects = 15, nets = 25, ports = 50 } + +ip_hi_proto = { scans = 200, rejects = 3, nets = 3, ports = 10 } +ip_hi_decoy = { scans = 200, rejects = 7, nets = 15, ports = 5 } +ip_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 7 } +ip_hi_dist = { scans = 200, rejects = 3, nets = 11, ports = 10 } + +icmp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 5 } +icmp_med_sweep = { scans = 20, rejects = 5, nets = 5, ports = 5 } +icmp_hi_sweep = { scans = 10, rejects = 3, nets = 3, ports = 5 } + +default_hi_port_scan = +{ + protos = 'all', + scan_types = 'all', + + tcp_window = 600, + udp_window = 600, + ip_window = 600, + icmp_window = 600, + + tcp_ports = tcp_hi_ports, + tcp_decoy = tcp_hi_decoy, + tcp_sweep = tcp_hi_sweep, + tcp_dist = tcp_hi_dist, + + udp_ports = udp_hi_ports, + udp_decoy = udp_hi_decoy, + udp_sweep = udp_hi_sweep, + udp_dist = udp_hi_dist, + + ip_proto = ip_hi_proto, + ip_decoy = ip_hi_decoy, + ip_sweep = ip_hi_sweep, + ip_dist = ip_hi_dist, + + icmp_sweep = icmp_hi_sweep, +} + +default_med_port_scan = +{ + protos = 'all', + scan_types = 'all', + + tcp_window = 90, + udp_window = 90, + ip_window = 90, + icmp_window = 90, + + tcp_ports = tcp_med_ports, + tcp_decoy = tcp_med_decoy, + tcp_sweep = tcp_med_sweep, + tcp_dist = tcp_med_dist, + + udp_ports = udp_med_ports, + udp_decoy = udp_med_decoy, + udp_sweep = udp_med_sweep, + udp_dist = udp_med_dist, + + ip_proto = ip_med_proto, + ip_decoy = ip_med_decoy, + ip_sweep = ip_med_sweep, + ip_dist = ip_med_dist, + + icmp_sweep = icmp_med_sweep, +} + +default_low_port_scan = +{ + protos = 'all', + scan_types = 'all', + + tcp_window = 60, + udp_window = 60, + ip_window = 60, + icmp_window = 60, + + tcp_ports = tcp_low_ports, + tcp_decoy = tcp_low_decoy, + tcp_sweep = tcp_low_sweep, + tcp_dist = tcp_low_dist, + + udp_ports = udp_low_ports, + udp_decoy = udp_low_decoy, + udp_sweep = udp_low_sweep, + udp_dist = udp_low_dist, + + ip_proto = ip_low_proto, + ip_decoy = ip_low_decoy, + ip_sweep = ip_low_sweep, + ip_dist = ip_low_dist, + + icmp_sweep = icmp_low_sweep, +} + +--------------------------------------------------------------------------- +-- default js_norm configuration +--------------------------------------------------------------------------- + +-- ECMAScript Standard Built-in Objects and Functions Names (Identifiers) +-- Also, might include other non-specification identifiers like those +-- are part of WebAPI or frameworks + +default_js_norm_ident_ignore = +{ + -- GlobalObject.Functions + 'eval', 'PerformEval', 'HostEnsureCanCompileStrings', 'EvalDeclarationInstantiation', + 'isFinite', 'isNaN', 'parseFloat', 'parseInt', 'Encode', 'Decode', 'decodeURI', + 'decodeURIComponent', 'encodeURI', 'encodeURIComponent', + + -- Microsoft.JScript.GlobalObject.Functions + 'CollectGarbage', 'GetHashCode', 'GetObject', 'GetType', 'MemberwiseClone', + + -- GlobalObject.Constructors + 'AggregateError', 'Array', 'ArrayBuffer', 'BigInt', 'BitInt64Array', 'BigUint64Array', + 'Boolean', 'DataView', 'Date', 'Error', 'EvalError', 'FinalizationRegistry', + 'Float32Array', 'Float64Array', 'Function', 'Int8Array', 'Int16Array', 'Int32Array', + 'Map', 'NativeError', 'Number', 'Object', 'Promise', 'Proxy', + 'RangeError', 'ReferenceError', 'RegExp', 'Set', 'SharedArrayBuffer', 'String', + 'Symbol', 'SyntaxError', 'TypeError', 'Uint8Array', 'Uint8ClampedArray', 'Uint16Array', + 'Uint32Array', 'URIError', 'WeakMap', 'WeakRef', 'WeakSet', + + -- Microsoft.JScript.GlobalObject.Constructors + 'ActiveXObject', 'Enumerator', 'VBArray', + + -- Atomics + 'Atomics', 'WaiterList', 'ValidateIntegerTypedArray', 'ValidateAtomicAccess', 'GetWaiterList', + 'EnterCriticalSection', 'LeaveCriticalSection', 'AddWaiter', 'RemoveWaiter', 'RemoveWaiters', + 'SuspendAgent', 'NotifyWaiter', 'AtomicReadModifyWrite', 'ByteListBitwiseOp', 'ByteListEqual', + + -- JSON + 'JSON', 'InternalizeJSONProperty', 'SerializeJSONProperty', 'QuoteJSONString', 'UnicodeEscape', + 'SerializeJSONObject','SerializeJSONArray', + + -- Math + 'Math', + + -- Reflect + 'Reflect', + + -- Date and Time + 'LocalTZA', 'LocalTime', 'UTC', 'MakeTime', 'MakeDay', 'MakeDate', 'TimeClip', 'TimeString', + 'DateString', 'TimeZoneString', 'ToDateString', + + -- String + 'StringPad', 'GetSubstitution', 'SplitMatch', 'TrimString', + + -- RegExp + 'RegExpExec', 'RegExpBuiltinExec', 'AdvanceStringIndex', 'RegExpHasFlag', + + -- TypedArray + 'TypedArray', 'TypedArraySpeciesCreate', 'TypedArrayCreate', 'ValidateTypedArray', + 'AllocateTypedArray', 'InitializeTypedArrayFromTypedArray', + 'InitializeTypedArrayFromArrayBuffer', 'InitializeTypedArrayFromList', + 'InitializeTypedArrayFromArrayLike', 'AllocateTypedArrayBuffer', + + -- ArrayBuffer + 'AllocateArrayBuffer', 'IsDetachedBuffer', 'DetachArrayBuffer', 'CloneArrayBuffer', + 'IsUnsignedElementType', 'IsUnclampedIntegerElementType', 'IsBigIntElementType', + 'IsNoTearConfiguration', 'RawBytesToNumeric', 'GetValueFromBuffer', 'NumericToRawBytes', + 'SetValueInBuffer', 'GetModifySetValueInBuffer', + + -- SharedArrayBuffer + 'AllocateSharedArrayBuffer', 'IsSharedArrayBuffer', + + -- DataView + 'GetViewValue', 'SetViewValue', 'getDataView', + + -- WeakRef + 'WeakRefDeref', + + -- Promise + 'IfAbruptRejectPromise', 'CreateResolvingFunctions', 'FulfillPromise', 'NewPromiseCapability', + 'IsPromise', 'RejectPromise', 'TriggerPromiseReactions', 'HostPromiseRejectionTracker', + 'NewPromiseReactionJob', 'NewPromiseResolveThenableJob', 'GetPromiseResolve', + 'PerformPromiseAll', 'PerformPromiseAllSettled', 'PerformPromiseAny', 'PerformPromiseRace', + 'PromiseResolve', 'PerformPromiseThen', + + -- GeneratorFunction + 'GeneratorFunction', 'AsyncGeneratorFunction', + + -- Generator + 'Generator', 'GeneratorStart', 'GeneratorValidate', 'GeneratorResume', 'GeneratorResumeAbrupt', + 'GetGeneratorKind', 'GeneratorYield', 'Yield', 'CreateIteratorFromClosure', + + -- AsyncGenerator + 'AsyncGenerator', 'AsyncGeneratorStart', 'AsyncGeneratorValidate', 'AsyncGeneratorResolve', + 'AsyncGeneratorReject', 'AsyncGeneratorResumeNext', 'AsyncGeneratorEnqueue', + 'AsyncGeneratorYield', 'CreateAsyncIteratorFromClosure', + + -- AsyncFunction + 'AsyncFunction', 'AsyncFunctionStart', + + -- WebAPI + 'console', 'document', + + -- Misc + 'arguments', 'CreateDynamicFunction', 'HostHasSourceTextAvailable', 'SymbolDescriptiveString', + 'IsConcatSpreadable', 'FlattenIntoArray', 'SortCompare', 'AddEntriesFromIterable', + 'CreateMapIterator', 'CreateSetIterator', 'EventSet', 'SharedDataBlockEventSet', + 'HostEventSet', 'ComposeWriteEventBytes', 'ValueOfReadEvent', 'escape', 'unescape', + 'CreateHTML', + + -- Adobe Acrobat + 'addAnnot', 'bookmarkRoot', 'calculateNow', 'closeDoc', 'createDataObject', 'docID', + 'exportAsFDF', 'exportAsFDFStr', 'getAnnotRichMedia', 'getAnnots', 'getAnnotsRichMedia', + 'getField', 'getLegalWarnings', 'getNthFieldName', 'getOCGs', 'openDataObject', 'removeField', + 'removeLinks', 'modDate', 'scroll', 'setAction', 'setPageAction', 'submitForm', 'syncAnnotScan', + 'Collab', 'Net', 'Rendition', 'XFA', 'XMLData', 'app', 'catalog', 'event', 'spell', 'util' +} + +default_js_norm_prop_ignore = +{ + -- Object + 'constructor', 'prototype', '__proto__', '__defineGetter__', '__defineSetter__', + '__lookupGetter__', '__lookupSetter__', '__count__', '__noSuchMethod__', '__parent__', + 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', + 'toSource', 'valueOf', 'getNotifier', 'eval', 'observe', 'unobserve', 'watch', 'unwatch', + + -- Function + 'arguments', 'arity', 'caller', 'length', 'name', 'displayName', 'apply', 'bind', 'call', + 'isGenerator', + + -- Number + 'toExponential', 'toFixed', 'toPrecision', + + -- String + 'at', 'charAt', 'charCodeAt', 'codePointAt', 'concat', 'includes', 'endWith', 'indexOf', + 'lastIndexOf', 'localeCompare', 'match', 'matchAll', 'normalize', 'padEnd', 'padStart', + 'repeat', 'replace', 'replaceAll', 'search', 'slice', 'split', 'startsWith', 'substring', + 'toLocaleLowerCase', 'toLocaleUpperCase', 'toLowerCase', 'toUpperCase', 'trim', 'trimStart', + 'trimEnd', + + -- RegExp + 'flags', 'dotAll', 'global', 'hasIndices', 'ignoreCase', 'multiline', 'source', 'sticky', + 'unicode', 'lastIndex', 'compile', 'exec', 'test', 'input', 'lastMatch', 'lastParen', + 'leftContext', 'rightContext', + + -- Array + 'copyWithin', 'entries', 'every', 'fill', 'filter', 'find', 'findIndex', 'flat', 'flatMap', + 'forEach', 'groupBy', 'groupByToMap', 'join', 'keys', 'map', 'pop', 'push', 'reduce', + 'reduceRight', 'reverse', 'shift', 'unshift', 'some', 'sort', 'splice', + + -- Generator + 'next', 'return', 'throw', + + -- EventTarget + 'addEventListener', 'dispatchEvent', 'removeEventListener', + + -- Node + 'childNodes', 'nodeValue', 'ownerDocument', 'parentElement', 'textContent', 'appendChild', + 'cloneNode', 'insertBefore', 'removeChild', 'replaceChild', + + -- Element + 'innerHTML', 'msRegionOverflow', 'openOrClosedShadowRoot', 'outerHTML', 'part', 'shadowRoot', + 'after', 'append', 'attachShadow', 'before', 'closest', 'createShadowRoot', 'getAttribute', + 'getAttributeNode', 'getAttributeNodeNS', 'getAttributeNS', 'getElementsByClassName', + 'getElementsByTagName', 'getElementsByTagNameNS', 'insertAdjacentElement', 'insertAdjacentHTML', + 'insertAdjacentText', 'prepend', 'querySelector', 'querySelectorAll', 'releasePointerCapture', + 'remove', 'removeAttribute', 'removeAttributeNode', 'removeAttributeNS', 'replaceChildren', + 'replaceWith', 'setAttribute', 'setAttributeNode', 'setAttributeNodeNS', 'setAttributeNS', + 'setCapture', 'setHTML', 'setPointerCapture', 'toggleAttribute', + + -- HTMLElement + 'contentEditable', 'contextMenu', 'dataset', 'dir', 'enterKeyHint', 'hidden', 'inert', + 'innerText', 'lang', 'nonce', 'outerText', 'style', 'tabIndex', 'title', + 'attachInternals', + + -- Promise + 'catch', 'finally', + + -- Misc + 'ExportStyle', 'callee', + + -- Adobe Acrobat + 'activated', 'addAnnot', 'addLink', 'annot', 'attachIcon', 'begin', 'bookmarkRoot', + 'borderColor', 'borderStyle', 'buttonGetIcon', 'calculate', 'calculateNow', 'callAS', + 'children', 'close', 'closeDoc', 'commitOnSelChange', 'createChild', 'createDataObject', 'data', + 'dataObjects', 'destroy', 'doc', 'docID', 'end', 'execute', 'exportAsFDF', 'exportAsFDFStr', + 'exportDataObject', 'exportValues', 'get', 'getAnnot', 'getAnnots', 'getAnnotsRichMedia', + 'getField', 'getLegalWarnings', 'getNthFieldName', 'getOCGs', 'getPageBox', 'openDataObject', + 'getProps', 'inReplyTo', 'layout', 'media', 'modDate', 'newPlayer', 'objectMetadata', 'page', + 'point', 'points', 'popupOpen', 'popupRect', 'print', 'println', 'qSilence', 'query', 'rect', + 'removeField', 'removeLinks', 'reset', 'resetForm', 'richText', 'rotate', 'saveAs', 'scroll', + 'setAction', 'setFocus', 'setIntent', 'setItems', 'setPageAction', 'setPersistent', 'setProps', + 'show', 'state', 'stateModel', 'streamFromString', 'stringFromStream', 'submitForm', + 'syncAnnotScan', 'talk', 'text', 'toggleNoView', 'type', 'userName', 'value', 'width', 'xfa' +} + +default_js_norm = +{ + -- params not specified here get internal defaults + ident_ignore = default_js_norm_ident_ignore, + prop_ignore = default_js_norm_prop_ignore, +} + +--------------------------------------------------------------------------- +-- default whitelist +--------------------------------------------------------------------------- +default_whitelist = +[[ + ftp_command_specs default_ftp_server smtp_default_alt_max_command_lines + default_smtp http_methods sip_requests telnet_commands default_wizard + default_references default_classifications gtp_v0_msg gtp_v1_msg gtp_v2_msg + gtp_v0_info gtp_v1_info gtp_v2_info default_gtp tcp_low_ports + tcp_low_decoy tcp_low_sweep tcp_low_dist tcp_med_ports + tcp_med_decoy tcp_med_sweep tcp_med_dist tcp_hi_ports tcp_hi_decoy + tcp_hi_sweep tcp_hi_dist udp_low_ports udp_low_decoy udp_low_sweep + udp_low_dist udp_med_ports udp_med_decoy udp_med_sweep udp_med_dist + udp_hi_ports udp_hi_decoy udp_hi_sweep udp_hi_dist ip_low_proto + ip_low_decoy ip_low_sweep ip_low_dist ip_med_proto ip_med_decoy + ip_med_sweep ip_med_dist ip_hi_proto ip_hi_decoy ip_hi_sweep + ip_hi_dist icmp_low_sweep icmp_med_sweep icmp_hi_sweep + default_hi_port_scan default_med_port_scan default_low_port_scan + default_variables netflow_versions default_js_norm_ident_ignore + default_js_norm_prop_ignore default_js_norm +]] + +snort_whitelist_append(default_whitelist) diff --git a/snort-conf/talos.lua b/snort-conf/talos.lua new file mode 100644 index 0000000..c420a7f --- /dev/null +++ b/snort-conf/talos.lua @@ -0,0 +1,43 @@ +--------------------------------------------------------------------------- +-- talos test tweaks +-- use with --talos or --tweaks talos +--------------------------------------------------------------------------- + +function file_exists(name) + local f=io.open(name,'r') + if f~=nil then + io.close(f) + return true + else + return false + end +end + +daq = +{ + modules = + { + { + name = 'dump', + variables = { 'output = none' } + } + }, + snaplen = 65535 +} + +if file_exists('local.rules') then + ips.include = 'local.rules' +end + +alert_talos = { } +alerts = { alert_with_interface_name = true } + +profiler = +{ + modules = { show = false }, + memory = { show = false }, + rules = { show = true } +} + +snort = { ['-Q'] = true } + diff --git a/snort-openappid.tar.gz b/snort-openappid.tar.gz new file mode 100644 index 0000000..d7ce2f2 Binary files /dev/null and b/snort-openappid.tar.gz differ diff --git a/snort-rules.txt b/snort-rules.txt new file mode 100644 index 0000000..1fb71cd --- /dev/null +++ b/snort-rules.txt @@ -0,0 +1 @@ +alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;) \ No newline at end of file diff --git a/supervisord.conf b/supervisord.conf new file mode 100644 index 0000000..1acdac9 --- /dev/null +++ b/supervisord.conf @@ -0,0 +1,18 @@ +[supervisord] +nodaemon=true + +[program:sshd] +command=/usr/sbin/sshd -D + +#[program:snort-agent] +#command=/usr/bin/python3 /usr/local/src/snort-agent/snort-agent.py +#stdout_logfile=/var/log/supervisor.log +#stderr_logfile=/var/log/supervisor.log +#autorestart=true + +[program:snort] +#command=snort -i eth0s -d -c /usr/local/etc/snort/snort.lua -l /var/log/snort +command=snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -s 65535 -k none -l /var/log/snort +stdout_logfile=/var/log/snort/supervisor.log +stderr_logfile=/var/log/snort/supervisor.log +autorestart=true \ No newline at end of file