# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $# ----------------# L

1. # $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
2. # ----------------
3. # LOCAL RULES
4. # ----------------
5. # This file intentionally does not come with signatures. Put your local
6. # additions here.
7.  
8. # test
9. alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;)
10.  
11. #lab
12.  
13. alert tcp 192.168.0.0/24 any <> !192.168.0.0/24 any (msg:"External WEB request";sid:1;)
14.  
15. #alert tcp 192.168.0.0/24 any <> !192.168.0.0/24 any (msg:"External WEB request";sid:1;react:block)
16.  
17. #alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 any (msg:"IDS004 - SCAN-NULL Scan";flags:0; seq:0; ack:0;)
18.  
19. #alert tcp any any -> any any (flags:S,12; msg:"SYN"; sid: 1231213;)
20.  
21.  
22. #individual
23.  
24. # убиваем UNION SQL injection
25. drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"UNION SQL Injection";uricontent:"union";nocase;uricontent:"select";nocase;sid:1;gid:666;)
26.  
27. # убиваем blind SQL injection
28. drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Blind SQL Injection";uricontent:"ascii";nocase;uricontent:"substr";nocase;uricontent:"select";nocase;sid:2;gid:666;)
29.  
30. # убиваем XSS/CSS
31. drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"XSS/CSS attack";uricontent:"";nocase;sid:4;gid:666;)
32.  
33. # убиваем хитрый XSS/CSS
34. drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"XSS/CSS attack";pcre:"/GET \/.*\?.*=(javascript:|onclick=|onmouseover=|onmouseout=|onload=).*\n/i";sid:5;gid:666;)
35.  
36. # убиваем ../../../etc/passwd
37. drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"PHP include attack";uricontent:"=../..";sid:6;gid:666;)