Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Rule ICMP1
- alert icmp any any -> any any \
- (msg:"ICMP1";itype:8;icode:9;icmp_seq:295;sid:9000050;)
- event_filter gen_id 1,sig_id 9000050,type both,track by_src,count 1,seconds 300
- #Rule ICMP2
- alert icmp any any -> any any \
- (msg:"I'm an ICMP Echo Request";itype:8;icode:0;icmp_seq:296;dsize:150;sid:9000051;)
- event_filter gen_id 1,sig_id 9000051,type both,track by_src,count 1,seconds 10
- #Rule UDP
- alert udp $HOME_NET 43869 -> $HOME_NET any \
- (msg:"UDP Weirdness";\
- content:"|43|";offset:299;depth:1;\
- sid:9000052;)
- event_filter gen_id 1,sig_id 9000052,type both,track by_src,count 1,seconds 30
- #Rule T2
- alert tcp any any -> any 22 \
- (msg:"NMAP T2 detected!";fragbits:d;flags:0;\
- sid:9000047;)
- event_filter gen_id 1,sig_id 9000047,type threshold,track by_src,count 5,seconds 30
- #Rule T3
- alert tcp any any -> any any (msg:"TCP UPSF";fragbits:!rdm;flags:UPSF;window:256;sid:9000054;)
- event_filter gen_id 1,sig_id 9000054,type limit,track by_dst,count 5,seconds 22
- #Rule T5
- #T5 rule
- alert tcp any any -> any any (msg:"T5 filter triggered!";flags:S;fragbits:!rdm;window:31337;sid:9000030;)
- event_filter gen_id 1, sig_id 9000030, type limit, track by_src, count 1, seconds 30
- #Rule T6
- alert tcp 192.168.45.1 any -> 192.168.45.128 any \
- (msg:"Fragbits";flags:A+;window:32768;sid:9000057;)
- event_filter gen_id 1,sig_id 9000057,type both,track by_src,count 1,seconds 20
- #Rule T7
- alert tcp any 43821 -> any 1024: \
- (msg:"NMAP T7 detected!";flags:FPU;\
- sid:9000041;)
- event_filter gen_id 1,sig_id 9000041,type both,track by_src,count 8,seconds 30
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
