lanakod/snort-docker
1
0
Fork 0
mirror of https://github.com/Lanakod-Networks/snort-docker.git synced 2025-07-04 13:26:38 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

First working run

Browse Source
This commit is contained in:
Maxim Malakhov 2024-08-14 15:31:36 +03:00
parent b389e32dca
commit ba2f7a5e03
No known key found for this signature in database
GPG Key ID: A77DC2E5B79AF357
17 changed files with 2215 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
Dockerfile
View File

@ -1,145 +1,42 @@
#
# BUILD CONTAINER
# (Note that this is a multi-phase Dockerfile)
# To build run `docker build --rm -t tebedwel/snort3-alpine:latest`
#
FROM ubuntu:22.04 AS builder
ARG DEBIAN_FRONTEND=noninteractive
ENV PREFIX_DIR=/usr/local
ENV HOME=/root
# Update apt-get adding the @testing repo for hwloc (as of Alpine v3.7)
# RUN apt-get add -X https://dl-cdn.alpinelinux.org/alpine/v3.16/main -u alpine-keys
# RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apt-get/repositories
# Prep apt-get for installing packages
RUN apt-get update -y && apt-get upgrade -y
# BUILD DEPENDENCIES:
RUN apt-get install -y \
wget \
git \
cmake \
make \
g++ \
bison \
flex \
cppcheck \
cpputest \
autoconf \
automake \
libtool \
# Libraries
libdumbnet-dev \
libdnet-dev \
libpcap-dev \
libtirpc-dev \
libmnl-dev \
libunwind-dev \
# Install the Snort developer requirements
curl \
gdb \
vim \
build-essential \
libpcre3-dev \
libnet1-dev \
zlib1g-dev \
luajit \
hwloc \
liblzma-dev \
openssl \
libssl-dev \
pkg-config \
libhwloc-dev \
libsqlite3-dev \
uuid-dev \
libcmocka-dev \
libnetfilter-queue-dev \
autotools-dev \
libluajit-5.1-dev \
libfl-dev
# One of the quirks of alpine is that unistd.h is in /usr/include. Lots of
# software looks for it in /usr/include/linux or /usr/include/sys.
# So, we'll make symlinks
# RUN mkdir /usr/include/linux && \
# ln -s /usr/include/unistd.h /usr/include/linux/unistd.h && \
# ln -s /usr/include/unistd.h /usr/include/sys/unistd.h
# The Alpine hwloc on testing is not reliable from a build perspective.
# So, lets just build it ourselves.
#
#WORKDIR $HOME
#RUN wget https://download.open-mpi.org/release/hwloc/v2.0/hwloc-2.0.3.tar.gz &&\
# tar zxvf hwloc-2.0.3.tar.gz
#WORKDIR $HOME/hwloc-2.0.3
#RUN ./configure --prefix=${PREFIX_DIR} && \
# make && \
# make install
# BUILD Daq on alpine:
RUN apt-get -y update && apt-get -y upgrade
RUN apt-get -y install \
wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config openssh-server \
strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl python3-pip python3-pcapy python3-dpkt supervisor net-tools iputils-ping python3 \
libdumbnet-dev libdnet-dev libpcap-dev libtirpc-dev libmnl-dev libunwind-dev libpcre3-dev zlib1g-dev libnet1-dev liblzma-dev \
libssl-dev libhwloc-dev libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev autotools-dev libluajit-5.1-dev libfl-dev \
libpcre3 libpcre3-dbg libyaml-0-2 libyaml-dev zlib1g libcap-ng-dev libcap-ng0 libmagic-dev libnuma-dev
# Build libdaq
WORKDIR $HOME
RUN git clone https://github.com/snort3/libdaq.git
WORKDIR $HOME/libdaq
RUN ./bootstrap && \
./configure --prefix=${PREFIX_DIR} && make && \
make install
# BUILD gperftools
RUN ./bootstrap && ./configure --prefix=${PREFIX_DIR} && make && make install
# Build gperftools
WORKDIR $HOME
RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz &&\
tar xzf gperftools-2.9.1.tar.gz
RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz && tar xzf gperftools-2.9.1.tar.gz
WORKDIR $HOME/gperftools-2.9.1
RUN ./configure && make && make install
# BUILD Snort on alpine
# Build snort
WORKDIR $HOME
# RUN git clone https://github.com/snort3/snort3.git
RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz &&\
tar xzf 3.3.2.0.tar.gz
RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz && tar xzf 3.3.2.0.tar.gz
WORKDIR $HOME/snort3-3.3.2.0
RUN ./configure_cmake.sh \
--prefix=${PREFIX_DIR} \
--enable-tcmalloc \
--disable-docs
RUN ./configure_cmake.sh --prefix=${PREFIX_DIR} --enable-tcmalloc --disable-docs
WORKDIR $HOME/snort3-3.3.2.0/build
RUN make && make install
RUN ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \
ln -s /usr/local/lib/libdaq.so.3 /lib/ && \
ldconfig
#
# RUNTIME CONTAINER
#
#FROM ubuntu:22.04
#ENV PREFIX_DIR=/usr/local
#WORKDIR ${PREFIX_DIR}
# Prep apt-get for installing packages
#RUN apt-get update -y
#RUN apt-get upgrade -y
# RUNTIME DEPENDENCIES:
#RUN apt-get install \
# libdnet \
# luajit \
# musl \
# libstdc++
# Copy the build artifacts from the build container to the runtime file system
#COPY --from=builder ${PREFIX_DIR}/etc/ /etc/
#COPY --from=builder ${PREFIX_DIR}/lib/ /lib/
#COPY --from=builder ${PREFIX_DIR}/lib64/ ${PREFIX_DIR}/lib64/
#COPY --from=builder ${PREFIX_DIR}/bin/ /bin/
# Add community rules to snort
WORKDIR $HOME
RUN mkdir ${PREFIX_DIR}/etc/rules && \
mkdir ${PREFIX_DIR}/etc/so_rules/ && \
@ -147,15 +44,38 @@ RUN mkdir ${PREFIX_DIR}/etc/rules && \
touch ${PREFIX_DIR}/etc/rules/local.rules && \
touch ${PREFIX_DIR}/etc/lists/default.blocklist && \
mkdir /var/log/snort
COPY snort3-community-rules.tar ${HOME}/snort3-community-rules.tar
RUN tar -xvzf snort3-community-rules.tar && \
cd snort3-community-rules && \
cp * ${PREFIX_DIR}/etc/rules/
RUN tar -xvzf snort3-community-rules.tar && cd snort3-community-rules && cp * ${PREFIX_DIR}/etc/rules/
RUN snort --version
ENTRYPOINT ["snort", "-c", "/usr/local/etc/snort/snort.lua", "-R", "/usr/local/etc/rules/snort3-community.rules", "-i", "wl01", "-s", "65535", "-k", "none"]
# Install OpenAppID
WORKDIR $HOME
COPY snort-openappid.tar.gz ${HOME}/OpenAppId-23020.tar.gz
RUN tar -xzvf OpenAppId-23020.tar.gz && cp -R odp /usr/local/lib/
RUN pip3 install pygeoip dnif idstools
#RUN mkdir /usr/local/lookups && cd /usr/local/lookups && \
# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz && \
# wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz && \
# gunzip GeoLiteCity.dat.gz GeoIPASNum.dat.gz
# Install snort-sgent
WORKDIR /usr/local/src
RUN wget https://github.com/dnif/snort-agent/archive/0.8.tar.gz && tar -zxvf 0.8.tar.gz && mv snort-agent-* snort-agent
# Set up SSH
RUN mkdir /var/run/sshd
RUN echo 'root:screencast' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
RUN echo "export VISIBLE=now" >> /etc/profile
EXPOSE 22
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY entrypoint.sh ${HOME}/entrypoint.sh
#CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
#ENTRYPOINT ["snort", "-c", "/usr/local/etc/snort/snort.lua", "-R", "/usr/local/etc/rules/snort3-community.rules", "-i", "wl01", "-s", "65535", "-k", "none"]
#ENTRYPOINT ["tail", "-f", "/dev/null"]
ENTRYPOINT ["/bin/bash", "/root/entrypoint.sh"]

21
docker-compose.yml
View File

@ -6,6 +6,21 @@ services:
dockerfile: Dockerfile
context: ./
volumes:
- snort:/usr/local/etc/snort
volumes:
snort:
- ./snort-conf:/usr/local/etc/snort
- ./snort-rules.txt:/usr/local/etc/rules/local.rules
ports:
- 22:22
networks:
snort_lan:
ping:
image: willfarrell/ping
environment:
HOSTNAME: snort
TIMEOUT: 10
networks:
snort_lan:
networks:
snort_lan:
driver: bridge
#volumes:
# snort:

1
entrypoint.sh Normal file
View File

@ -0,0 +1 @@
/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

12
snort-agent.conf Normal file
View File

@ -0,0 +1,12 @@
[program:snort-agent]
command=/usr/bin/python -u /usr/local/src/snort-agent/snort-agent.py
process_name=%(program_name)s
autostart=true
autorestart=true
redirect_stderr=true
stdout_logfile=/var/log/snort-agent.log
stderr_logfile=/var/log/snort-agent.log
stderr_events_enabled=true
directory=/tmp/
stopasgroup=true
stdout_logfile_maxbytes=10MB

20
snort-conf/balanced.lua Normal file
View File

@ -0,0 +1,20 @@
---------------------------------------------------------------------------
-- balanced connectivity and security policy
-- use with -c snort.lua --tweaks balanced
---------------------------------------------------------------------------
arp_spoof = nil
detection = { pcre_override = false }
http_inspect.request_depth = 300
http_inspect.response_depth = 500
port_scan = nil
stream_ip.min_frag_length = 16
table.insert(
binder, 1, -- add http port binding to appease the perf gods
{ when = { proto = 'tcp', ports = '80', role='server' }, use = { type = 'http_inspect' } })

21
snort-conf/connectivity.lua Normal file
View File

@ -0,0 +1,21 @@
---------------------------------------------------------------------------
-- reduced security policy that favors connectivity
-- use with -c snort.lua --tweaks connectivity
---------------------------------------------------------------------------
arp_spoof = nil
http_inspect.request_depth = 300
http_inspect.response_depth = 500
http_inspect.unzip = false
http_inspect.utf8 = false
port_scan = nil
stream_ip.min_frag_length = 16
table.insert(
binder, 1, -- add http port binding to appease the perf gods
{ when = { proto = 'tcp', ports = '80', role='server' }, use = { type = 'http_inspect' } })

219
snort-conf/file_magic.rules Normal file
View File

@ -0,0 +1,219 @@
file_id (msg:"Excel spreadsheet subheader (MS Office)"; file_meta:type XLW, id 1, category "Office Documents", group "office"; file_data; content:"| 09 08 10 00 00 06 05 00 |", depth 8, offset 512; gid:4; sid:1; rev:1;)
file_id (msg:"POSIX Tape Archive file"; file_meta:type POSIX_TAR, id 2, category "Archive"; file_data; content:"| 75 73 74 61 72 00 20 20 |", depth 8, offset 257; gid:4; sid:2; rev:1;)
file_id (msg:"Pre-POSIX Tape Archive file"; file_meta:type OLD_TAR, id 3, category "Archive"; file_data; content:"| 75 73 74 61 72 20 |", depth 6, offset 257; gid:4; sid:3; rev:1;)
file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 4, category "Multimedia", group "video"; file_data; content:"| 66 72 65 65 |", depth 4, offset 4; gid:4; sid:4; rev:1;)
file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 5, category "Multimedia", group "video"; file_data; content:"| 6D 6F 6F 76 |", depth 4, offset 4; gid:4; sid:5; rev:1;)
file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 6, category "Multimedia", group "video"; file_data; content:"| 6D 64 61 74 |", depth 4, offset 4; gid:4; sid:6; rev:1;)
file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 7, category "Multimedia", group "video"; file_data; content:"| 70 6E 6F 74 |", depth 4, offset 4; gid:4; sid:7; rev:1;)
file_id (msg:"QuickTime movie file"; file_meta:type MOV, id 8, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 |", depth 4, offset 4; gid:4; sid:8; rev:1;)
file_id (msg:"File compressed with lha utility/algorithm (lha, lzh)"; file_meta:type LHA, id 9, category "Archive"; file_data; content:"| 2D 6C 68 |", depth 3, offset 2; gid:4; sid:9; rev:1;)
file_id (msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 10, category "System files"; file_data; content:"| 43 44 30 30 31 |", depth 5, offset 32769; gid:4; sid:10; rev:1;)
file_id (msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 11, category "System files"; file_data; content:"| 43 44 30 30 31 |", depth 5, offset 34817; gid:4; sid:11; rev:1;)
file_id (msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 12, category "System files"; file_data; content:"| 43 44 30 30 31 |", depth 5, offset 36865; gid:4; sid:12; rev:1;)
file_id (msg:"S3M audio module format"; file_meta:type S3M, id 13, category "Multimedia", group "audio"; file_data; content:"| 53 43 52 4d |", depth 4, offset 44; gid:4; sid:13; rev:1;)
file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 14, category "Multimedia"; file_data; content:"| 11 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:14; rev:1;)
file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 15, category "Multimedia"; file_data; content:"| 12 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:15; rev:1;)
file_id (msg:"Windows/DOS executable file"; file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content:"| 4D 5A |", depth 2, offset 0; gid:4; sid:16; rev:1;)
file_id (msg:"PDF file"; file_meta:type PDF, id 22, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content:"| 25 50 44 46 |", depth 4, offset 0; gid:4; sid:17; rev:1;)
file_id (msg:"Rich text format word processing file"; file_meta:type RTF, id 23, category "Office Documents,Dynamic Analysis Capable"; file_data; content:"| 7B 5C 72 74 |", depth 4, offset 0; gid:4; sid:18; rev:1;)
file_id (msg:"Resource Interchange File Format"; file_meta:type RIFF, id 24, category "Multimedia"; file_data; content:"| 52 49 46 46 |", depth 4, offset 0; gid:4; sid:19; rev:1;)
file_id (msg:"Microsoft Compiled HTML Help File"; file_meta:type MSCHM, id 25, category "Office Documents"; file_data; content:"| 49 54 53 46 |", depth 4, offset 0; gid:4; sid:20; rev:1;)
file_id (msg:"Microsoft Windows CAB"; file_meta:type MSCAB, id 26, category "Archive"; file_data; content:"| 4D 53 43 46 |", depth 4, offset 0; gid:4; sid:21; rev:1;)
file_id (msg:"Microsoft Object Linking and Embedding Compound File, used for office documents as well as installers"; file_meta:type MSOLE2, id 27, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content:"| D0 CF 11 E0 A1 B1 1A E1 |", depth 8, offset 0; gid:4; sid:22; rev:1;)
file_id (msg:"SZDD file format"; file_meta:type MSSZDD, id 28, category "Archive"; file_data; content:"| 53 5A 44 44 88 F0 27 33 |", depth 8, offset 0; gid:4; sid:23; rev:1;)
file_id (msg:"PKZIP archive file"; file_meta:type ZIP, id 29, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; gid:4; sid:24; rev:1;)
file_id (msg:"WinRAR compressed archive file"; file_meta:type RAR, id 30, category "Archive"; file_data; content:"| 52 61 72 21 1A 07 00 |", depth 7, offset 0; gid:4; sid:25; rev:1;)
file_id (msg:"7-Zip compressed file"; file_meta:type 7Z, id 31, category "Archive"; file_data; content:"| 37 7A BC AF 27 1C |", depth 6, offset 0; gid:4; sid:26; rev:1;)
file_id (msg:"bzip2 compressed archive"; file_meta:type BZ, id 32, category "Archive"; file_data; content:"| 42 5A 68 |", depth 3, offset 0; gid:4; sid:27; rev:1;)
file_id (msg:"GZ"; file_meta:type GZ, id 33, category "Archive"; file_data; content:"| 1F 8B 08 |", depth 3, offset 0; gid:4; sid:28; rev:1;)
file_id (msg:"Compressed archive file"; file_meta:type ARJ, id 34, category "Archive"; file_data; content:"| 60 EA 00 00 |", depth 4, offset 0; gid:4; sid:29; rev:1;)
file_id (msg:"Install Shield v5.x or 6.x compressed file"; file_meta:type ISHIELD_MSI, id 35, category "Executables"; file_data; content:"| 49 53 63 28 |", depth 4, offset 0; gid:4; sid:30; rev:1;)
file_id (msg:"Macintosh BinHex 4 Compressed Archive"; file_meta:type BINHEX, id 36, category "Executables"; file_data; content:"| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |", depth 41, offset 0; gid:4; sid:31; rev:1;)
file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 37, category "Office Documents"; file_data; content:"| 46 72 6F 6D 20 20 20 |", depth 7, offset 0; gid:4; sid:32; rev:1;)
file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 38, category "Office Documents"; file_data; content:"| 46 72 6F 6D 20 3F 3F 3F |", depth 8, offset 0; gid:4; sid:33; rev:1;)
file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 39, category "Office Documents"; file_data; content:"| 46 72 6F 6D 3A 20 |", depth 6, offset 0; gid:4; sid:34; rev:1;)
file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 40, category "Office Documents"; file_data; content:"| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |", depth 13, offset 0; gid:4; sid:35; rev:1;)
file_id (msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 41, category "Office Documents"; file_data; content:"| 58 2D |", depth 2, offset 0; gid:4; sid:36; rev:1;)
file_id (msg:"Transport Neutral Encapsulation Format, an E-mail attachment format"; file_meta:type TNEF, id 42, category "Office Documents"; file_data; content:"| 78 9F 3E 22 |", depth 4, offset 0; gid:4; sid:37; rev:1;)
file_id (msg:"Universal Binary/Java Bytecode"; file_meta:type BINARY_DATA, id 43, category "Executables"; file_data; content:"| CA FE BA BE |", depth 4, offset 0; gid:4; sid:38; rev:1;)
file_id (msg:"UUencoded file"; file_meta:type UUENCODED, id 44, category "Encoded"; file_data; content:"| 62 65 67 69 6E |", depth 5, offset 0; gid:4; sid:39; rev:1;)
file_id (msg:"Script encoder file"; file_meta:type SCRENC, id 45, category 'Encoded"; file_data; content:"| 23 40 7E 5E |", depth 4, offset 0; gid:4; sid:40; rev:1;)
file_id (msg:"Executable and Linking Format executable file (Linux/Unix)"; file_meta:type ELF, id 46, category "Executables"; file_data; content:"| 7F 45 4C 46 |", depth 4, offset 0; gid:4; sid:41; rev:1;)
file_id (msg:"Mach object file format"; file_meta:type MACHO, id 47, category "Executables"; file_data; content:"| CE FA ED FE |", depth 4, offset 0; gid:4; sid:42; rev:1;)
file_id (msg:"Mach object file format"; file_meta:type MACHO, id 48, category "Executables"; file_data; content:"| CF FA ED FE |", depth 4, offset 0; gid:4; sid:43; rev:1;)
file_id (msg:"Mach object file format"; file_meta:type MACHO, id 49, category "Executables"; file_data; content:"| FE ED FA CE |", depth 4, offset 0; gid:4; sid:44; rev:1;)
file_id (msg:"Mach object file format"; file_meta:type MACHO, id 50, category "Executables"; file_data; content:"| FE ED FA CF |", depth 4, offset 0; gid:4; sid:45; rev:1;)
file_id (msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 51, category "Archive"; file_data; content:"| 19 04 00 10 |", depth 4, offset 0; gid:4; sid:46; rev:1;)
file_id (msg:"Flash file "; file_meta:type SWF, id 52, category "Multimedia"; file_data; content:"| 43 57 53 |", depth 3, offset 0; gid:4; sid:47; rev:1;)
file_id (msg:"Flash file "; file_meta:type SWF, id 53, category 'Multimedia"; file_data; content:"| 46 57 53 |", depth 3, offset 0; gid:4; sid:48; rev:1;)
file_id (msg:"Archive created with the cpio utility- standard ASCII format"; file_meta:type CPIO_ODC, id 55, category "Archive"; file_data; content:"| 30 37 30 37 30 37 |", depth 6, offset 0; gid:4; sid:49; rev:1;)
file_id (msg:"Archive created with the cpio utility- new ASCII (aka SVR4) format"; file_meta:type CPIO_NEWC, id 56, category "Archive"; file_data; content:"| 30 37 30 37 30 31 |", depth 6, offset 0; gid:4; sid:50; rev:1;)
file_id (msg:"Archive created with the cpio utility- CRC format"; file_meta:type CPIO_CRC, id 57, category "Archive"; file_data; content:"| 30 37 30 37 30 32 |", depth 6, offset 0; gid:4; sid:51; rev:1;)
file_id (msg:"MPEG video file"; file_meta:type MPEG, id 58, category "Multimedia", group "video"; file_data; content:"| 00 00 01 B3 |", depth 4, offset 0; gid:4; sid:52; rev:1;)
file_id (msg:"MPEG video file"; file_meta:type MPEG, id 59, category "Multimedia", group "video"; file_data; content:"| 00 00 01 BA |", depth 4, offset 0; gid:4; sid:53; rev:1;)
file_id (msg:"Adobe encapsulated PostScript file"; file_meta:type EPS, id 60, category "PDF files"; file_data; content:"| 25 21 50 53 2D 41 64 6F 62 65 2D |", depth 11, offset 0; gid:4; sid:54; rev:1;)
file_id (msg:"RealNetworks RealMedia streaming media file"; file_meta:type RMF, id 61, category "Multimedia"; file_data; content:"| 2E 52 4D 46 |", depth 4, offset 0; gid:4; sid:55; rev:1;)
file_id (msg:"GIF"; file_meta:type GIF, id 62, category "Graphics"; file_data; content:"| 47 49 46 38 37 61 |", depth 6, offset 0; gid:4; sid:56; rev:1;)
file_id (msg:"GIF"; file_meta:type GIF, id 63, category 'Graphics"; file_data; content:"| 47 49 46 38 39 61 |", depth 6, offset 0; gid:4; sid:57; rev:1;)
file_id (msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 64, category "Multimedia"; file_data; content:"| 49 44 33 |", depth 3, offset 0; gid:4; sid:58; rev:1;)
file_id (msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 65, category "Multimedia"; file_data; content:"| FF FB |", depth 2, offset 0; gid:4; sid:59; rev:1;)
file_id (msg:"Ogg Vorbis Codec compressed Multimedia file"; file_meta:type OGG, id 66, category "Multimedia"; file_data; content:"| 4F 67 67 53 |", depth 4, offset 0; gid:4; sid:60; rev:1;)
file_id (msg:"RIFX audio format"; file_meta:type RIFX, id 67, category "Multimedia", group "audio"; file_data; content:"| 52 49 46 58 |", depth 4, offset 0; gid:4; sid:61; rev:1;)
file_id (msg:"Symantec files"; file_meta:type SYMANTEC, id 68, category "System files"; file_data; content:"| 58 2D 53 79 6D 61 6E 74 65 63 2D |", depth 11, offset 0; gid:4; sid:62; rev:1;)
file_id (msg:"Portable Network Graphics file"; file_meta:type PNG, id 69, category "Graphics", group "multimedia"; file_data; content:"| 89 50 4E 47 0D 0A 1A 0A |", depth 8, offset 0; gid:4; sid:63; rev:1;)
file_id (msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 70, category "Graphics", group "multimedia"; file_data; content:"| FF D8 FF E0 |", depth 4, offset 0; gid:4; sid:64; rev:1;)
file_id (msg:"Jar pack file"; file_meta:type JARPACK, id 72, category "Executables"; file_data; content:"| CA FE D0 0D |", depth 4, offset 0; gid:4; sid:65; rev:1;)
file_id (msg:"Java archive file"; file_meta:type JAR, id 73, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 4D 45 54 41 2D 49 4E 46 2F |", depth 9, offset 30; gid:4; sid:66; rev:1;)
file_id (msg:"Flash video file"; file_meta:type FLV, id 74, category "Multimedia", group "video"; file_data; content:"| 46 4C 56 01 |", depth 4, offset 0; gid:4; sid:67; rev:1;)
file_id (msg:"Waveform Audio File Format"; file_meta:type WAV, id 76, category "Multimedia", group "audio"; file_data; content:"| 62 65 61 74 |", depth 4, offset 0; gid:4; sid:68; rev:1;)
file_id (msg:"Waveform Audio File Format"; file_meta:type WAV, id 77, category "Multimedia", group "video"; file_data; content:"| 4D 58 43 33 |", depth 4, offset 0; gid:4; sid:69; rev:1;)
file_id (msg:"ffmpeg Multimedia framework"; file_meta:type FFMPEG, id 78, category "Multimedia"; file_data; content:"| 34 58 4D 56 |", depth 4, offset 0; gid:4; sid:70; rev:1;)
file_id (msg:"Apple Disk Image"; file_meta:type DMG, id 79, category "System files"; file_data; content:"| 45 52 02 00 |", depth 4, offset 0; gid:4; sid:71; rev:1;)
file_id (msg:"Apple Disk Image"; file_meta:type DMG, id 80, category "System files"; file_data; content:"| 32 49 4D 47 |", depth 4, offset 0; gid:4; sid:72; rev:1;)
file_id (msg:"RealPlayer video file"; file_meta:type IVR, id 81, category "Multimedia", group "video"; file_data; content:"| 2E 52 45 43 |", depth 4, offset 0; gid:4; sid:73; rev:1;)
file_id (msg:"RealPlayer video file"; file_meta:type IVR, id 82, category "Multimedia", group "video"; file_data; content:"| 2E 52 31 4D |", depth 4, offset 0; gid:4; sid:74; rev:1;)
file_id (msg:"RealAudio file"; file_meta:type RA, id 83, category "Multimedia", group "audio"; file_data; content:"| 2E 52 4D 46 00 00 00 12 00 |", depth 9, offset 0; gid:4; sid:75; rev:1;)
file_id (msg:"RealAudio file"; file_meta:type RA, id 84, category "Multimedia", group "audio"; file_data; content:"| 2E 72 61 FD 00 |", depth 5, offset 0; gid:4; sid:76; rev:1;)
file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 85, category "System files"; file_data; content:"| 43 4F 57 44 |", depth 4, offset 0; gid:4; sid:77; rev:1;)
file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 86, category "System files"; file_data; content:"|4B 44 4D |", depth 3, offset 0; gid:4; sid:78; rev:1;)
file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 87, category "System files"; file_data; content:"| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |", depth 16, offset 0; gid:4; sid:79; rev:1;)
file_id (msg:"Virtual Machine Disk"; file_meta:type VMDK, id 88, category "System files"; file_data; content:"| 2E 03 00 00 01 |", depth 5, offset 0; gid:4; sid:80; rev:1;)
file_id (msg:"Free Lossless Audio Codec file"; file_meta:type FLAC, id 89, category "Multimedia", group "audio"; file_data; content:"| 66 4C 61 43 00 00 00 22 |", depth 8, offset 0; gid:4; sid:81; rev:1;)
file_id (msg:"S3M audio module format"; file_meta:type S3M, id 90 , category "Multimedia", group "audio"; file_data; content:"| 53 43 52 4d |", depth 4, offset 0; gid:4; sid:82; rev:1;)
file_id (msg:"Microsoft Windows Media Audio/Video File"; file_meta:type ASF, id 91, category "Multimedia", group "audio"; file_data;content:"| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |", depth 16, offset 0; gid:4; sid:83; rev:1;)
file_id (msg:"Microsoft Word for Mac 5"; file_meta:type MSWORD_MAC5, id 93, category "Office Documents", group "office"; file_data; content:"| FE 37 00 23 |", depth 4, offset 0; gid:4; sid:84; rev:1;)
file_id (msg:"Microsoft symbolic Link"; file_meta:type SYLKc, id 94, category "System files"; file_data; content:"| 49 44 3B 50 |", depth 4, offset 0; gid:4; sid:85; rev:1;)
file_id (msg:"WordPerfect text and graphics file"; file_meta:type WP, id 95, category "Office Documents"; file_data; content:"| FF 57 50 43 |", depth 4, offset 0; gid:4; sid:86; rev:1;)
file_id (msg:"WordPerfect text and graphics file"; file_meta:type WP, id 96, category "Office Documents"; file_data; content:"| 81 CD AB |", depth 3, offset 0; gid:4; sid:87; rev:1;)
file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 97, category "Graphics", group "multimedia"; file_data; content:"| 49 49 2A 00 |", depth 4, offset 0; gid:4; sid:88; rev:1;)
file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 98, category "Graphics", group "multimedia"; file_data; content:"| 49 20 49 |", depth 3, offset 0; gid:4; sid:89; rev:1;)
file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 99, category "Graphics", group "multimedia"; file_data; content:"| 4D 4D 00 2A |", depth 4, offset 0; gid:4; sid:90; rev:1;)
file_id (msg:"Tagged Image File Format file"; file_meta:type TIFF, id 100, category "Graphics", group "multimedia"; file_data; content:"| 4D 4D 00 2B |", depth 4, offset 0; gid:4; sid:91; rev:1;)
file_id (msg:"Metastock technical analysis program for traders"; file_meta:type MWL, id 101, category "Office Documents"; file_data; content:"| 5b 4d 65 74 61 53 74 6f 63 6b |", depth 10, offset 0; gid:4; sid:92; rev:1;)
file_id (msg:"Microsoft Access file"; file_meta:type MDB, id 102, category "Office Documents"; file_data; content:"| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |", depth 19, offset 0; gid:4; sid:93; rev:1;)
file_id (msg:"Microsoft Access 2007 file"; file_meta:type ACCDB, id 103, category "Office Documents"; file_data; content:"| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 |", depth 19, offset 0; gid:4; sid:94; rev:1;)
file_id (msg:"Microsoft Money file"; file_meta:type MNY, id 104, category "Office Documents"; file_data; content:"| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 |", depth 19, offset 0; gid:4; sid:95; rev:1;)
file_id (msg:"RealNetworks Realplayer REC"; file_meta:type REC, id 105, category "Multimedia"; file_data; content:"| 2e 72 65 63 00 |", depth 5, offset 0; gid:4; sid:96; rev:1;)
file_id (msg:"RealNetworks Realplayer R1M"; file_meta:type R1M, id 106, category "Multimedia"; file_data; content:"| 2e 72 31 6d |", depth 4, offset 0; gid:4; sid:97; rev:1;)
file_id (msg:"Outlook address file"; file_meta:type WAB, id 107, category "Office Documents", group "office"; file_data; content:"| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |", depth 16, offset 0; gid:4; sid:98; rev:1;)
file_id (msg:"Outlook address file"; file_meta:type WAB, id 108, category "Office Documents", group "office"; file_data; content:"| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |", depth 16, offset 0; gid:4; sid:99; rev:1;)
file_id (msg:"Multimedia playlists"; file_meta:type M3U, id 109, category "Multimedia"; file_data; content:"| 23 45 58 54 4d 33 55 |", depth 7, offset 0; gid:4; sid:100; rev:1;)
file_id (msg:"Matroska stream file"; file_meta:type MKV, id 110, category "Multimedia"; file_data; content:"| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 |", depth 16, offset 0; gid:4; sid:101; rev:1;)
file_id (msg:"ChromaGraph Graphics Card Bitmap Graphic file"; file_meta:type IMG_PICT, id 111, category "Graphics", group "multimedia"; file_data; content:"| 50 49 43 54 00 08 |", depth 6, offset 0; gid:4; sid:102; rev:1;)
file_id (msg:"Advanced Module Format for digital music"; file_meta:type AMF, id 112, category "Multimedia", group "audio"; file_data; content:"| 41 4d 46 |", depth 3, offset 0; gid:4; sid:103; rev:1;)
file_id (msg:"WebM audio-video format"; file_meta:type WEBM, id 113, category "Multimedia", group "audio,video"; file_data; content:"| 1A 45 DF A3 |", depth 4, offset 0; gid:4; sid:104; rev:1;)
file_id (msg:"Autodesk Maya"; file_meta:type MAYA, id 114, category "Graphics"; file_data; content:"| 2f 2f 4d 61 79 61 |", depth 6, offset 0; gid:4; sid:105; rev:1;)
file_id (msg:"Musical Instrument Digital Interface (MIDI) sound file"; file_meta:type MIDI, id 115, category "Multimedia", group "audio"; file_data; content:"| 4D 54 68 64 |", depth 4, offset 0; gid:4; sid:106; rev:1;)
file_id (msg:"multimedia playlists"; file_meta:type PLS, id 116, category "Multimedia"; file_data; content:"| 5b 70 6c 61 79 6c 69 73 74 5d |", depth 10, offset 0; gid:4; sid:107; rev:1;)
file_id (msg:"Synchronized Multimedia Integration Language"; file_meta:type SMIL, id 117, category "Multimedia"; file_data; content:"| 3c 73 6d 69 6c 3e |", depth 6, offset 0; gid:4; sid:108; rev:1;)
file_id (msg:"Synchronized Accessible Media Interchange"; file_meta:type SAMI, id 119, category "Multimedia"; file_data; content:"| 3c 53 41 4d 49 |", depth 5, offset 0; gid:4; sid:109; rev:1;)
file_id (msg:"Autodesk AutoCAD file (dwg) "; file_meta:type DWG, id 130, category "Graphics"; file_data; content:"| 41 43 31 30 |", depth 4, offset 0; gid:4; sid:111; rev:1;)
file_id (msg:"Microsoft Document Imaging file (mdi)"; file_meta:type MDI, id 132, category "Office Documents"; file_data; content:"| 45 50 |", depth 2, offset 0; gid:4; sid:112; rev:1;)
file_id (msg:"PGP disk image(PGD)"; file_meta:type PGD, id 133, category "System files"; file_data; content:"| 50 47 50 64 4D 41 49 4E |", depth 8, offset 0; gid:4; sid:113; rev:1;)
file_id (msg:"Photoshop image file (PSD)"; file_meta:type PSD, id 134, category "Graphics"; file_data; content:"| 38 42 50 53 |", depth 4, offset 0; gid:4; sid:114; rev:1;)
file_id (msg:"Windows 9x registry hive (REG)"; file_meta:type 9XHIVE, id 135, category "System files"; file_data; content:"| 43 52 45 47 |", depth 4, offset 0; gid:4; sid:115; rev:1;)
file_id (msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 136, category "System files"; file_data; content:"| 52 45 47 45 44 49 54 |", depth 7, offset 0; gid:4; sid:116; rev:1;)
file_id (msg:"Windows graphics metafile "; file_meta:type WMF, id 137, category "Graphics"; file_data; content:"| 01 00 09 00 00 03 |", depth 6, offset 0; gid:4; sid:117; rev:1;)
file_id (msg:"Windows Write document file (wri) "; file_meta:type WRI, id 138, category "Office Documents"; file_data; content:"| BE 00 00 00 AB 00 00 00 00 00 00 00 00 |", depth 13, offset 0; gid:4; sid:118; rev:1;)
file_id (msg:"RedHat Package Manager file"; file_meta:type RPM, id 139, category "Executables"; file_data; content:"| ED AB EE DB |", depth 4, offset 0; gid:4; sid:119; rev:1;)
file_id (msg:"Microsoft OneNote note"; file_meta:type ONE, id 140, category "Office Documents", group "office"; file_data; content:"| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |", depth 16, offset 0; gid:4; sid:120; rev:1;)
file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 141, category "Multimedia", group "video"; file_data; content:"| 00 00 00 18 66 74 79 70 33 67 70 35 |", depth 12, offset 0; gid:4; sid:121; rev:1;)
file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 142, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 69 73 6F 6D |", depth 8, offset 4; gid:4; sid:122; rev:1;)
file_id (msg:"Packet capture file"; file_meta:type PCAP, id 143, category "System files"; file_data; content:"| D4 C3 B2 A1 |", depth 4, offset 0; gid:4; sid:123; rev:1;)
file_id (msg:"Packet capture file"; file_meta:type PCAP, id 144, category "System files"; file_data; content:"| 34 CD B2 A1 |", depth 4, offset 0; gid:4; sid:124; rev:1;)
file_id (msg:"Packet capture file"; file_meta:type PCAP, id 145, category "System files"; file_data; content:"| A1 B2 C3 D4 |", depth 4, offset 0; gid:4; sid:125; rev:1;)
file_id (msg:"Packet capture file"; file_meta:type PCAP, id 146, category "System files"; file_data; content:"| A1 B2 CD 34 |", depth 4, offset 0; gid:4; sid:126; rev:1;)
file_id (msg:"Packet capture file"; file_meta:type PCAP, id 147, category "System files"; file_data; content:"| 52 54 53 53 |", depth 4, offset 0; gid:4; sid:127; rev:1;)
file_id (msg:"Bitmap image file"; file_meta:type BMP, id 148, category "Graphics", group "multimedia"; file_data; content:"| 42 4D |", depth 2, offset 0; gid:4; sid:128; rev:1;)
file_id (msg:"Windows icon file"; file_meta:type ICO, id 149, category "Graphics"; file_data; content:"| 00 00 01 00 |", depth 4, offset 0; gid:4; sid:129; rev:1;)
file_id (msg:"BitTorrent File"; file_meta:type TORRENT, id 150, category "Executables"; file_data; content:"| 64 38 3A 61 6E 6E 6F 75 6E 63 65 |", depth 11, offset 0; gid:4; sid:130; rev:1;)
file_id (msg:"Adaptive Multi-Rate Codec File"; file_meta:type AMR, id 151, category "Multimedia"; file_data; content:"| 23 21 41 4D 52 |", depth 5, offset 0; gid:4; sid:131; rev:1;)
file_id (msg:"StuffIt compressed archive"; file_meta:type SIT, id 152, category "Archive"; file_data; content:"| 53 49 54 21 00 |", depth 5, offset 0; gid:4; sid:132; rev:1;)
file_id (msg:"Microsoft Outlook Personal Folder File"; file_meta:type PST, id 153, category "Office Documents", group "office"; file_data; content:"| 21 42 44 4E |", depth 4, offset 0; gid:4; sid:133; rev:1;)
file_id (msg:"Windows Help file"; file_meta:type HLP, id 154, category "Office Documents"; file_data; content:"| 4C 4E 02 00 |", depth 4, offset 0; gid:4; sid:134; rev:1;)
file_id (msg:"Windows Help file"; file_meta:type HLP, id 155, category "Office Documents"; file_data; content:"| 3F 5F 03 00 |", depth 4, offset 0; gid:4; sid:135; rev:1;)
file_id (msg:"Windows Autorun setup file"; file_meta:type AUTORUN, id 156, category "Executables"; file_data; content:"| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |", depth 11, offset 0; gid:4; sid:136; rev:1;)
file_id (msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 157, category "Graphics", group "multimedia"; file_data; content:"| FF D8 FF E1 |", depth 4, offset 0; gid:4; sid:137; rev:1;)
file_id (msg:"Compressed archive file"; file_meta:type ARJ, id 158, category "Archive"; file_data; content:"| 60 EA |", depth 2, offset 0; gid:4; sid:138; rev:1;)
file_id (msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 159, category "Multimedia", group "audio"; file_data; content:"| FF FA |", depth 2, offset 0; gid:4; sid:139; rev:1;)
file_id (msg:"StuffIt compressed archive"; file_meta:type SIT, id 160, category "Archive"; file_data; content:"| 53 74 75 66 66 49 74 20 |", depth 8, offset 0; gid:4; sid:140; rev:1;)
file_id (msg:"Windows graphics metafile "; file_meta:type WMF, id 162, category "Graphics"; file_data; content:"| D7 CD C6 9A |", depth 4, offset 0; gid:4; sid:141; rev:1;)
file_id (msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 163, category "Archive"; file_data; content:"| 7A 1A 20 10 |", depth 4, offset 0; gid:4; sid:142; rev:1;)
file_id (msg:"Windows Write document file (wri) "; file_meta:type WRI, id 164, category "Office Documents"; file_data; content:"| 31 BE |", depth 2, offset 0; gid:4; sid:143; rev:1;)
file_id (msg:"Windows Write document file (wri) "; file_meta:type WRI, id 165, category "Office Documents"; file_data; content:"| 32 BE |", depth 2, offset 0; gid:4; sid:144; rev:1;)
file_id (msg:"Waveform Audio File Format"; file_meta:type WAV, id 166, category "Multimedia", group "audio"; file_data; content:"| 52 49 46 46 |", depth 4, offset 0; content:"| 57 41 56 45 66 6D 74 20 |", depth 8, offset 8; gid:4; sid:145; rev:1;)
file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 167, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 6D 70 34 32 |", depth 8, offset 4; gid:4; sid:146; rev:1;)
file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 168, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 33 67 70 |", depth 7, offset 4; gid:4; sid:147; rev:1;)
file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 169, category "Multimedia", group "video"; file_data; content:"| 66 74 79 70 4D 53 4E 56 |", depth 8, offset 4; gid:4; sid:148; rev:1;)
file_id (msg:"Digital Imaging and Communications in Medicine"; file_meta:type DICM, id 170, category "Multimedia"; file_data; content:"| 44 49 43 4D |", depth 4, offset 128; gid:4; sid:149; rev:1;)
file_id (msg:"PKZIP encrypted archive file"; file_meta:type ZIP_ENC, id 171, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 01 |", depth 1, offset 6; gid:4; sid:150; rev:1;)
file_id (msg:"Standard Anti-Virus Test File"; file_meta:type EICAR, id 273, category "Executables"; file_data; content:"| 58 35 4F 21 50 25 |", depth 6, offset 0; gid:4; sid:151; rev:1;)
file_id (msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 275, category "Office Documents"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 46 69 78 65 64 44 6F 63 75 6D |", depth 10, offset 30; gid:4; sid:152; rev:1;)
file_id (msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 277, category "Office Documents"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 44 6F 63 75 6D 65 6E 74 73 2F |", depth 10, offset 30; gid:4; sid:153; rev:1;)
file_id (msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 278, category "Office Documents"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 4D 65 74 61 64 61 74 61 2F |", depth 9, offset 30; gid:4; sid:154; rev:1;)
file_id (msg:"Windows crash dump file"; file_meta:type DMP, id 279, category "System files"; file_data; content:"| 4D 44 4D 50 93 A7 |", depth 6, offset 0; gid:4; sid:155; rev:1;)
file_id (msg:"Windows crash dump file"; file_meta:type DMP, id 280, category "System files"; file_data; content:"| 50 41 47 45 44 55 36 34 |", depth 8, offset 0; gid:4; sid:156; rev:1;)
file_id (msg:"Windows crash dump file"; file_meta:type DMP, id 281, category "System files"; file_data; content:"| 50 41 47 45 44 55 4D 50 |", depth 8, offset 0; gid:4; sid:157; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 282, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.0"; file_data; content:"| 25 50 44 46 2D 31 2E 30 |", depth 8, offset 0; gid:4; sid:158; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 283, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.1"; file_data; content:"| 25 50 44 46 2D 31 2E 31 |", depth 8, offset 0; gid:4; sid:159; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 284, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.2"; file_data; content:"| 25 50 44 46 2D 31 2E 32 |", depth 8, offset 0; gid:4; sid:160; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 285, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.3"; file_data; content:"| 25 50 44 46 2D 31 2E 33 |", depth 8, offset 0; gid:4; sid:161; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 286, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.4"; file_data; content:"| 25 50 44 46 2D 31 2E 34 |", depth 8, offset 0; gid:4; sid:162; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 287, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.5"; file_data; content:"| 25 50 44 46 2D 31 2E 35 |", depth 8, offset 0; gid:4; sid:163; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 288, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.6"; file_data; content:"| 25 50 44 46 2D 31 2E 36 |", depth 8, offset 0; gid:4; sid:164; rev:1;)
file_id (msg:"PDF file "; file_meta:type PDF, id 289, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.7"; file_data; content:"| 25 50 44 46 2D 31 2E 37 |", depth 8, offset 0;gid:4; sid:165; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 290, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 30 |", depth 2, offset 7; gid:4; sid:166; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 291, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 31 |", depth 2, offset 7; gid:4; sid:167; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 292, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 32 |", depth 2, offset 7; gid:4; sid:168; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 293, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 33 |", depth 2, offset 7; gid:4; sid:169; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 294, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 34 |", depth 2, offset 7; gid:4; sid:170; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 295, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 30 35 |", depth 2, offset 7; gid:4; sid:171; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 296, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 32 30 |", depth 2, offset 7; gid:4; sid:172; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 297, category "System files"; file_data; content:"| 3A 31 |", depth 2, offset 0; content:"| 32 32 |", depth 2, offset 7; gid:4; sid:173; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 298, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 30 |", depth 2, offset 7; gid:4; sid:174; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 300, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 31 |", depth 2, offset 7; gid:4; sid:175; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 301, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 32 |", depth 2, offset 7; gid:4; sid:176; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 302, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 33 |", depth 2, offset 7; gid:4; sid:177; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 303, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 34 |", depth 2, offset 7; gid:4; sid:178; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 304, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 30 35 |", depth 2, offset 7; gid:4; sid:179; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 306, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 32 32 |", depth 2, offset 7; gid:4; sid:180; rev:1;)
file_id (msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 307, category "System files"; file_data; content:"| FF FE |", depth 2, offset 0; gid:4; sid:181; rev:1;)
file_id (msg:"Proprietary layout engine for Microsoft Internet Explorer"; file_meta:type MSHTML, id 308, category "Office Documents"; file_data; content:"| 3D 22 2D 2D 2D 2D 3D 5F |", depth 8, offset 60; gid:4; sid:182; rev:1;)
file_id (msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 310, category "System files"; file_data; content:"| EF BB BF |", depth 3, offset 0; gid:4; sid:183; rev:1;)
file_id (msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 311, category "System files"; file_data; content:"| 54 79 70 65 3D 45 78 65 |", depth 8, offset 0; gid:4; sid:184; rev:1;)
file_id (msg:"MPEG-4 video files"; file_meta:type MP4, id 313, category "Multimedia"; file_data; content:"| 66 74 79 70 64 61 73 68 |", depth 8, offset 4; gid:4; sid:185; rev:1;)
file_id (msg:"Microsoft Windows Shortcut Files"; file_meta:type LNK, id 314, category "Executables"; file_data; content:"| 4C 00 00 00 01 14 02 00 |", depth 8, offset 0; gid:4; sid:186; rev:1;)
file_id (msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 315, category "Executables"; file_data; content:"| 44 43 4E 01 |", depth 4, offset 0; gid:4; sid:187; rev:1;)
file_id (msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 316, category "Executables"; file_data; content:"| 44 43 44 01 |", depth 4, offset 0; gid:4; sid:188; rev:1;)
file_id (msg:"Matroska stream file"; file_meta:type MKV, id 317, category "Multimedia"; file_data; content:"| 1A 45 DF A3 01 00 00 00 00 00 00 23 42 86 81 01 |", depth 16, offset 0; gid:4; sid:189; rev:1;)
file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 16, category "Multimedia"; file_data; content:"| 44 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:190; rev:1;)
file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 17, category "Multimedia"; file_data; content:"| 30 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:191; rev:1;)
file_id (msg:"FLIC Animation file"; file_meta:type FLIC, id 18, category "Multimedia"; file_data; content:"| 31 AF |", depth 2, offset 4; content:"| 40 01 |", depth 2, offset 8 ; content:"| c8 00 |", depth 2, offset 10 ; file_data; content:"| 00 00 |", depth 2, offset 20 ; file_data; content:"| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:192; rev:1;)
file_id (msg:"Windows NT registry hive (REG)"; file_meta:type NTHIVE, id 161, category "System files"; file_data; content:"| 72 65 67 66 |", depth 4, offset 0; gid:4; sid:193; rev:1;)
file_id (msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 305, category "System files"; file_data; content:"| 3A 32 |", depth 2, offset 0; content:"| 32 30 |", depth 2, offset 7; gid:4; sid:194; rev:1;)
file_id (msg:"Java archive file"; file_meta:type JAR, id 318, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 63 6F 6E 74 65 6E 74 2F |", depth 8, offset 30; gid:4; sid:195; rev:1;)
file_id (msg:"Java archive file"; file_meta:type JAR, id 319, category "Archive"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 6F 70 74 69 6F 6E 73 2F |", depth 8, offset 30; gid:4; sid:196; rev:1;)
file_id (msg:"WinRAR compressed archive file"; file_meta:type RAR, id 320, category "Archive", version "1.1"; file_data; content:"| 52 61 72 21 1A 07 01 00 |", depth 8, offset 0; gid:4; sid:197; rev:1;)
file_id (msg:"Archive file for Microsoft created using software ALZip"; file_meta:type ALZ, id 321, category "Archive"; file_data; content:"| 41 4C 5A 01 |", depth 4, offset 0; gid:4; sid:198; rev:1;)
file_id (msg:"Archive File for Microsoft created using software ALZip"; file_meta:type EGG, id 322, category "Archive"; file_data; content:"| 45 47 47 41 |", depth 4, offset 0; gid:4; sid:199; rev:1;)
file_id (msg:"Hangul word processor file"; file_meta:type HWP, id 323, category "Office Documents", version "3.0"; file_data; content:"| 48 57 50 20 44 6F 63 75 6D 65 6E 74 20 46 69 6C 65 |", depth 17, offset 0; gid:4; sid:200; rev:1;)
file_id (msg:"Flash file"; file_meta:type SWF, id 324, category "Multimedia"; file_data; content:"| 5A 57 53 |", depth 3, offset 0; gid:4; sid:201; rev:1;)
file_id (msg:"Packet capture file"; file_meta:type PCAP, id 325, category "System files"; file_data; content:"| 0A 0D 0D 0A |", depth 4, offset 0; gid:4; sid:202; rev:1;)
file_id (msg:"Flash file "; file_meta:type SWF, id 54, category "Multimedia"; file_data; content:"| 58 46 49 52 |", depth 4, offset 0; gid:4; sid:203; rev:1;)
file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (PPTX)"; file_meta:type PPTX, id 326, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 70 70 74 2f |", depth 4, offset 30; gid:4; sid:204; rev:1;)
file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX)"; file_meta:type DOCX, id 327, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 77 6f 72 64 2f |", depth 5, offset 30; gid:4; sid:205; rev:1;)
file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (XLSX)"; file_meta:type XLSX, id 328, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 78 6c 2f |", depth 3, offset 30; gid:4; sid:206; rev:1;)
file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 329, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e |", depth 16, offset 30; gid:4; sid:207; rev:1;)
file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 330, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 5f 72 65 6c 73 2f |", depth 6, offset 30; gid:4; sid:208; rev:1;)
file_id (msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 331, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content:"| 50 4B 03 04 |", depth 4, offset 0; content:"| 64 6f 63 50 72 6f 70 73 2f |", depth 9, offset 30; gid:4; sid:209; rev:1;)
file_id (msg:"Audio Interchange File Format"; file_meta:type AIF, id 345, category "Multimedia"; file_data; content:"| 46 4F 52 40 |", depth 4, offset 0; gid:4; sid:210; rev:1;)
file_id (msg:"Audio Interchange File Format"; file_meta:type AIF, id 346, category "Multimedia"; file_data; content:"| 41 49 46 46 |", depth 4, offset 8; gid:4; sid:211; rev:1;)
file_id (msg:"Debian package file"; file_meta:type DEB, id 333, category "System files"; file_data; content:"| 21 3C 61 72 |", depth 4, offset 0; gid:4; sid:212; rev:1;)
file_id (msg:"Windows Cursor file"; file_meta:type CUR, id 337, category "System files"; file_data; content:"| 00 00 02 00 02 00 30 30 00 00 01 |", depth 11, offset 0; gid:4; sid:216; rev:1;)
file_id (msg:"Audio Video Interleave"; file_meta:type AVI, id 339, category "Multimedia"; file_data; content:"| 41 56 49 |", depth 3, offset 8; gid:4; sid:218; rev:1;)
file_id (msg:"Sound file"; file_meta:type SND, id 340, category "Multimedia"; file_data; content:"| 73 6E 64 |", depth 3, offset 1; gid:4; sid:219; rev:1;)
file_id (msg:"MPEG-4 Audio"; file_meta:type M4A, id 341, category "Multimedia"; file_data; content:"| 4D 34 41 |", depth 3, offset 8; gid:4; sid:220; rev:1;)
file_id (msg:"Video Object file, audio container in DVD media"; file_meta:type VOB, id 342, category "Multimedia"; file_data; content:"| 00 00 01 BA 44 |", depth 5, offset 0; gid:4; sid:221; rev:1;)
file_id (msg:"Windows Media Video"; file_meta:type WMV, id 343, category "Multimedia"; file_data; content:"| 30 26 B2 75 |", depth 4, offset 0; gid:4; sid:222; rev:1;)
file_id (msg:"iTunes video file"; file_meta:type M5V, id 344, category "Multimedia"; file_data; content:"| 4D 34 56 |", depth 3, offset 8; gid:4; sid:223; rev:1;)
file_id (msg:"Executable script"; file_meta:type UNIX_SCRIPT, id 347, category "Executables"; file_data; content:"| 23 21 2F |", depth 3, offset 0; gid:4; sid:224; rev:1;)

20
snort-conf/inline.lua Normal file
View File

@ -0,0 +1,20 @@
---------------------------------------------------------------------------
-- inline test tweaks
-- use with --tweaks inline
---------------------------------------------------------------------------
daq =
{
modules =
{
{
name = 'pcap',
mode = 'read-file'
},
{
name = 'dump',
variables = { 'output=none' }
},
},
}

48
snort-conf/max_detect.lua Normal file
View File

@ -0,0 +1,48 @@
---------------------------------------------------------------------------
-- maximum detection policy
-- this will yield lowest throughput
-- use with -c snort.lua --tweaks max_detect
---------------------------------------------------------------------------
arp_spoof = nil
ftp_server.check_encrypted = true
detection =
{
pcre_match_limit = 3500,
pcre_match_limit_recursion = 3500,
-- enable for hyperscan for best throughput
-- use multiple packet threads for fast startup
--hyperscan_literals = true,
--pcre_to_regex = true
}
http_inspect.decompress_pdf = true
http_inspect.decompress_swf = true
http_inspect.decompress_zip = true
http_inspect.percent_u = true
http_inspect.normalize_javascript = true
imap.decompress_pdf = true
imap.decompress_swf = true
imap.decompress_zip = true
pop.decompress_pdf = true
pop.decompress_swf = true
pop.decompress_zip = true
port_scan = nil
search_engine.detect_raw_tcp = true
smtp.decompress_pdf = true
smtp.decompress_swf = true
smtp.decompress_zip = true
stream_ip.min_frag_length = 100
telnet.check_encrypted = true
telnet.normalize = true

38
snort-conf/security.lua Normal file
View File

@ -0,0 +1,38 @@
---------------------------------------------------------------------------
-- enhanced security policy
-- use with -c snort.lua --tweaks security
---------------------------------------------------------------------------
arp_spoof = nil
ftp_server.check_encrypted = true
detection =
{
pcre_match_limit = 3500,
pcre_match_limit_recursion = 3500
}
http_inspect.decompress_pdf = true
http_inspect.decompress_swf = true
http_inspect.decompress_zip = true
imap.decompress_pdf = true
imap.decompress_swf = true
imap.decompress_zip = true
pop.decompress_pdf = true
pop.decompress_swf = true
pop.decompress_zip = true
port_scan = nil
smtp.decompress_pdf = true
smtp.decompress_swf = true
smtp.decompress_zip = true
stream_ip.min_frag_length = 100
telnet.check_encrypted = true
telnet.normalize = true

25
snort-conf/sensitive_data.rules Normal file
View File

@ -0,0 +1,25 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; flow:only_stream; pkt_data; sd_pattern:"credit_card", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:1; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; file_data; sd_pattern:"credit_card", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:2; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_uri; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:3; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_header; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:4; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Credit Card Numbers"; http_client_body; sd_pattern:"credit_card", threshold 2; service:http; classtype:sdf; gid:13; sid:5; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; flow:only_stream; pkt_data; sd_pattern:"us_social", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:6; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; file_data; sd_pattern:"us_social", threshold 2; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:7; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_uri; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:8; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_header; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:9; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; http_client_body; sd_pattern:"us_social", threshold 2; service:http; classtype:sdf; gid:13; sid:10; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; flow:only_stream; pkt_data; sd_pattern:"us_social_nodashes", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:11; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; file_data; sd_pattern:"us_social_nodashes", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:12; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_uri; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:13; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_header; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:14; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; http_client_body; sd_pattern:"us_social_nodashes", threshold 20; service:http; classtype:sdf; gid:13; sid:15; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; flow:only_stream; pkt_data; sd_pattern:"email", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:16; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; file_data; sd_pattern:"email", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:17; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_uri; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:18; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_header; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:19; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA Email Addresses"; http_client_body; sd_pattern:"email", threshold 20; service:http; classtype:sdf; gid:13; sid:20; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; flow:only_stream; pkt_data; sd_pattern:"us_phone", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:21; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; file_data; sd_pattern:"us_phone", threshold 20; service:http, smtp, ftp-data, imap, pop3; classtype:sdf; gid:13; sid:22; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_uri; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:23; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_header; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:24; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"SENSITIVE-DATA U.S. Phone Numbers"; http_client_body; sd_pattern:"us_phone", threshold 20; service:http; classtype:sdf; gid:13; sid:25; rev:1; )

283
snort-conf/snort.lua Normal file
View File

@ -0,0 +1,283 @@
---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------
-- there are over 200 modules available to tune your policy.
-- many can be used with defaults w/o any explicit configuration.
-- use this conf as a template for your specific configuration.
-- 1. configure defaults
-- 2. configure inspection
-- 3. configure bindings
-- 4. configure performance
-- 5. configure detection
-- 6. configure filters
-- 7. configure outputs
-- 8. configure tweaks
---------------------------------------------------------------------------
-- 1. configure defaults
---------------------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = '172.20.0.0/24'
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = '!$HOME_NET'
include 'snort_defaults.lua'
---------------------------------------------------------------------------
-- 2. configure inspection
---------------------------------------------------------------------------
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- mod = default_mod uses external defaults
-- you can see them in snort_defaults.lua
-- the following are quite capable with defaults:
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
stream_user = { }
stream_file = { }
arp_spoof = { }
back_orifice = { }
dns = { }
imap = { }
netflow = {}
normalizer = { }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
cip = { }
dnp3 = { }
iec104 = { }
mms = { }
modbus = { }
s7commplus = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }
-- see snort_defaults.lua for default_*
gtp_inspect = default_gtp
port_scan = default_med_port_scan
smtp = default_smtp
ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }
http_inspect = { }
http2_inspect = { }
-- see file_magic.rules for file id rules
file_id = { rules_file = 'file_magic.rules' }
file_policy = { }
js_norm = default_js_norm
-- the following require additional configuration to be fully effective:
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
app_detector_dir = '/usr/local/lib',
log_stats = true,
}
--[[
reputation =
{
-- configure one or both of these, then uncomment reputation
-- (see also related path vars at the top of snort_defaults.lua)
--blacklist = 'blacklist file name with ip lists'
--whitelist = 'whitelist file name with ip lists'
}
--]]
---------------------------------------------------------------------------
-- 3. configure bindings
---------------------------------------------------------------------------
wizard = default_wizard
binder =
{
-- port bindings required for protocols without wizard support
{ when = { proto = 'udp', ports = '53', role='server' }, use = { type = 'dns' } },
{ when = { proto = 'tcp', ports = '53', role='server' }, use = { type = 'dns' } },
{ when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } },
{ when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } },
{ when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } },
{ when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } },
{ when = { proto = 'udp', ports = '2222', role = 'server' }, use = { type = 'cip' } },
{ when = { proto = 'tcp', ports = '44818', role = 'server' }, use = { type = 'cip' } },
{ when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } },
{ when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } },
{ when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } },
{ when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } },
{ when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } },
{ when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } },
{ when = { service = 'cip' }, use = { type = 'cip' } },
{ when = { service = 'dnp3' }, use = { type = 'dnp3' } },
{ when = { service = 'dns' }, use = { type = 'dns' } },
{ when = { service = 'ftp' }, use = { type = 'ftp_server' } },
{ when = { service = 'ftp-data' }, use = { type = 'ftp_data' } },
{ when = { service = 'gtp' }, use = { type = 'gtp_inspect' } },
{ when = { service = 'imap' }, use = { type = 'imap' } },
{ when = { service = 'http' }, use = { type = 'http_inspect' } },
{ when = { service = 'http2' }, use = { type = 'http2_inspect' } },
{ when = { service = 'iec104' }, use = { type = 'iec104' } },
{ when = { service = 'mms' }, use = { type = 'mms' } },
{ when = { service = 'modbus' }, use = { type = 'modbus' } },
{ when = { service = 'pop3' }, use = { type = 'pop' } },
{ when = { service = 'ssh' }, use = { type = 'ssh' } },
{ when = { service = 'sip' }, use = { type = 'sip' } },
{ when = { service = 'smtp' }, use = { type = 'smtp' } },
{ when = { service = 'ssl' }, use = { type = 'ssl' } },
{ when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } },
{ when = { service = 's7commplus' }, use = { type = 's7commplus' } },
{ when = { service = 'telnet' }, use = { type = 'telnet' } },
{ use = { type = 'wizard' } }
}
---------------------------------------------------------------------------
-- 4. configure performance
---------------------------------------------------------------------------
-- use latency to monitor / enforce packet and rule thresholds
--latency = { }
-- use these to capture perf data for analysis and tuning
--profiler = { }
--perf_monitor = { }
---------------------------------------------------------------------------
-- 5. configure detection
---------------------------------------------------------------------------
references = default_references
classifications = default_classifications
ips =
{
-- use this to enable decoder and inspector alerts
--enable_builtin_rules = true,
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables
}
-- use these to configure additional rule actions
-- react = { }
-- reject = { }
-- use this to enable payload injection utility
-- payload_injector = { }
---------------------------------------------------------------------------
-- 6. configure filters
---------------------------------------------------------------------------
-- below are examples of filters
-- each table is a list of records
--[[
suppress =
{
-- don't want to any of see these
{ gid = 1, sid = 1 },
-- don't want to see anything for a given host
{ track = 'by_dst', ip = '1.2.3.4' }
-- don't want to see these for a given host
{ gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
}
--]]
--[[
event_filter =
{
-- reduce the number of events logged for some rules
{ gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
{ gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 },
}
--]]
--[[
rate_filter =
{
-- alert on connection attempts from clients in SOME_NET
{ gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
-- alert on connections to servers over threshold
{ gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
new_action = 'alert', timeout = 1 },
}
--]]
---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
alert_fast = {
file = true,
packet = false,
limit = 10,
}
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
---------------------------------------------------------------------------
-- 8. configure tweaks
---------------------------------------------------------------------------
if ( tweaks ~= nil ) then
include(tweaks .. '.lua')
end

1401
snort-conf/snort_defaults.lua Normal file
View File

File diff suppressed because it is too large Load Diff

43
snort-conf/talos.lua Normal file
View File

@ -0,0 +1,43 @@
---------------------------------------------------------------------------
-- talos test tweaks
-- use with --talos or --tweaks talos
---------------------------------------------------------------------------
function file_exists(name)
local f=io.open(name,'r')
if f~=nil then
io.close(f)
return true
else
return false
end
end
daq =
{
modules =
{
{
name = 'dump',
variables = { 'output = none' }
}
},
snaplen = 65535
}
if file_exists('local.rules') then
ips.include = 'local.rules'
end
alert_talos = { }
alerts = { alert_with_interface_name = true }
profiler =
{
modules = { show = false },
memory = { show = false },
rules = { show = true }
}
snort = { ['-Q'] = true }

BIN
snort-openappid.tar.gz Normal file
View File

Binary file not shown.

1
snort-rules.txt Normal file
View File

@ -0,0 +1 @@
alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

18
supervisord.conf Normal file
View File

@ -0,0 +1,18 @@
[supervisord]
nodaemon=true
[program:sshd]
command=/usr/sbin/sshd -D
#[program:snort-agent]
#command=/usr/bin/python3 /usr/local/src/snort-agent/snort-agent.py
#stdout_logfile=/var/log/supervisor.log
#stderr_logfile=/var/log/supervisor.log
#autorestart=true
[program:snort]
#command=snort -i eth0s -d -c /usr/local/etc/snort/snort.lua -l /var/log/snort
command=snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -s 65535 -k none -l /var/log/snort
stdout_logfile=/var/log/snort/supervisor.log
stderr_logfile=/var/log/snort/supervisor.log
autorestart=true