forked from OpenAttackDefenseTools/tulip
-
Notifications
You must be signed in to change notification settings - Fork 1
/
suricata.rules
152 lines (146 loc) · 21.7 KB
/
suricata.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Copyright (C) 2023-2024 ANSSI
# SPDX-License-Identifier: GPL-2.0-or-later
#
# Suricata rules for Attack-Defense CTF games
# Please remember to increment `sid` when adding new rules as its value must be unique.
# Make sure matching is done on at least 4 bytes to reduce false positives.
# Flags (sid 1-1000)
# As PCRE is slow, please use a content filter before.
# Please test your regex at https://regex101.com/ using "PCRE2" mode.
# Some rules match also in 'file.data' in case of compressed payload.
# ENOWARS rules are disabled by default as they cause false positives
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 1;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 2;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3d"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 3;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3D"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 4;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (base64)"; flow:to_client; content: "0="; pcre: "/((?:[MNOQ-W][DEFjkl01TUVz][014589ABEFIJMNQRUVYZcdghklopstwx][0-5B-Zawxyz]){10}[MNOQ-W][jDzT]0=)/, flow:match"; distance: -44; metadata: tag FLAG OUT B64, color danger; sid: 5;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG IN, color success; sid: 6;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 11;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; file.data; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 12;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 13;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; file.data; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 14;)
alert ip any any -> any any (msg: "A ECSC flag was send to server (probably by checkers)"; flow:to_server; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG IN, color success; sid: 15;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client"; flow:to_client; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG OUT, color danger; sid: 21;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client"; flow:to_client; file.data; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG OUT, color danger; sid: 22;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client (base64)"; flow:to_client; content: "RU5P"; pcre: "/RU5P[A-Za-z0-9\/+]{64}/, flow:match"; distance: -4; metadata: tag FLAG OUT B64, color danger; sid: 23;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client (base64)"; flow:to_client; file.data; content: "RU5P"; pcre: "/RU5P[A-Za-z0-9\/+]{64}/, flow:match"; distance: -4; metadata: tag FLAG OUT B64, color danger; sid: 24;)
#alert ip any any -> any any (msg: "A ENOWARS flag was placed in our services (probably by checkers)"; flow:to_server; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG IN, color success; sid: 25;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client"; flow:to_client; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG OUT, color danger; sid: 31;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client"; flow:to_client; file.data; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG OUT, color danger; sid: 32;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; content: "RkFVU1Rf"; pcre: "/(RkFVU1Rf[A-Za-z0-9\/+]{43}=)/, flow:match"; distance: -8; metadata: tag FLAG OUT B64, color danger; sid: 33;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; file.data; content: "RkFVU1Rf"; pcre: "/(RkFVU1Rf[A-Za-z0-9\/+]{43}=)/, flow:match"; distance: -8; metadata: tag FLAG OUT B64, color danger; sid: 34;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was placed in our services (probably by checkers)"; flow:to_server; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG IN, color success; sid: 35;)
alert ip any any -> any any (msg: "A ICC flag was sent to client"; flow:to_client; content: "ICC_"; pcre: "/(ICC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -4; metadata: tag FLAG OUT, color danger; sid: 41;)
alert ip any any -> any any (msg: "A ICC flag was sent to client"; flow:to_client; file.data; content: "ICC_"; pcre: "/(ICC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -4; metadata: tag FLAG OUT, color danger; sid: 42;)
alert ip any any -> any any (msg: "A ICC flag was sent to client (base64)"; flow:to_client; content: "SUNDX"; metadata: tag FLAG OUT B64, color danger; sid: 43;)
alert ip any any -> any any (msg: "A ICC flag was sent to client (base64)"; flow:to_client; file.data; content: "SUNDX"; metadata: tag FLAG OUT B64, color danger; sid: 44;)
alert ip any any -> any any (msg: "A ICC flag was placed in our services (probably by checkers)"; flow:to_server; content: "ICC_"; pcre: "/(ICC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -4; metadata: tag FLAG IN, color success; sid: 45;)
# Tag file formats using libmagic (sid 1001-2000)
# As libmagic calls are slow, please use a content filter before.
# fast_pattern overrides Suricata fast pattern determination.
alert ip any any -> any any (msg: "tag"; file.data; content: "|00|asm"; startswith; fast_pattern; filemagic: "WebAssembly (wasm) binary"; metadata: tag WASM, color primary; sid: 1001;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|28 B5 2F FD|"; startswith; fast_pattern; filemagic: "Zstandard compressed data"; metadata: tag ZST, color primary; sid: 1002;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|25|PDF-"; depth:10; fast_pattern; filemagic: "PDF document"; metadata: tag PDF, color primary; sid: 1003;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|3C|svg"; depth:4096; nocase; fast_pattern; filemagic: "SVG Scalable Vector Graphics image"; metadata: tag SVG, color primary; sid: 1004;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|89|PNG|0d 0a|"; startswith; fast_pattern; filemagic: "PNG image"; metadata: tag PNG, color primary; sid: 1005;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|FD|7zXZ|00|"; startswith; fast_pattern; filemagic: "XZ compressed data"; metadata: tag XZ, color primary; sid: 1006;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|ff d8 ff|"; startswith; fast_pattern; filemagic: "JPEG image"; metadata: tag JPG, color primary; sid: 1007;)
alert ip any any -> any any (msg: "tag"; file.data; content: "7z|BC AF 27 1C|"; startswith; fast_pattern; filemagic: "7-zip archive data"; metadata: tag 7Z, color primary; sid: 1008;)
alert ip any any -> any any (msg: "tag"; file.data; content: "GIF"; startswith; fast_pattern; filemagic: "GIF image"; metadata: tag GIF, color primary; sid: 1009;)
alert ip any any -> any any (msg: "tag"; file.data; content: "MSCF|00 00 00 00|"; startswith; fast_pattern; filemagic: "Microsoft cabinet file data"; metadata: tag CAB, color primary; sid: 1010;)
alert ip any any -> any any (msg: "tag"; file.data; content: "MThd"; startswith; fast_pattern; filemagic: "Standard MIDI data"; metadata: tag MIDI, color primary; sid: 1011;)
alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft Excel 2007+"; metadata: tag XLSX, color primary; sid: 1012;)
alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft PowerPoint 2007+"; metadata: tag PPTX, color primary; sid: 1013;)
alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft Word 2007+"; metadata: tag DOCX, color primary; sid: 1014;)
alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Zip archive"; metadata: tag ZIP, color primary; sid: 1015;)
alert ip any any -> any any (msg: "tag"; file.data; content: "Vgm|20|"; startswith; fast_pattern; filemagic: "VGM Video Game Music"; metadata: tag VGM, color primary; sid: 1016;)
alert ip any any -> any any (msg: "tag"; file.data; content: "wOF"; startswith; fast_pattern; filemagic: "Web Open Font"; metadata: tag WOFF, color primary; sid: 1017;)
alert ip any any -> any any (msg: "tag"; file.data; content: "|7F|ELF|02 01 01 00 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; filemagic: "ELF"; metadata: tag ELF, color primary; sid: 1018;)
alert ip any any -> any any (msg: "tag"; file.data; content: "f0VMRgIBAQAAAAAAAAAAAA"; metadata: tag ELF B64, color primary; sid: 1019;)
alert ip any any -> any any (msg: "tag"; file.data; content: "{", depth:1; fast_pattern; filemagic: "JSON data"; metadata: tag JSON, color primary; sid: 1020;)
# Tag HTTP methods and status (sid 2001-3000)
alert http any any -> any any (msg: "tag"; http.method; content: "POST"; startswith; metadata: tag POST, color info; sid: 2001;)
alert http any any -> any any (msg: "tag"; http.method; content: "PUT"; startswith; metadata: tag PUT, color info; sid: 2002;)
alert http any any -> any any (msg: "tag"; http.method; content: "HEAD"; startswith; metadata: tag HEAD, color info; sid: 2003;)
alert http any any -> any any (msg: "tag"; http.method; content: "DELETE"; startswith; metadata: tag DELETE, color info; sid: 2004;)
alert http any any -> any any (msg: "tag"; http.method; content: "TRACE"; startswith; metadata: tag TRACE, color info; sid: 2005;)
alert http any any -> any any (msg: "tag"; http.method; content: "OPTIONS"; startswith; metadata: tag OPTIONS, color info; sid: 2006;)
alert http any any -> any any (msg: "tag"; http.method; content: "CONNECT"; startswith; metadata: tag CONNECT, color info; sid: 2007;)
alert http any any -> any any (msg: "tag"; http.method; content: "PATCH"; startswith; metadata: tag PATCH, color info; sid: 2008;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "101"; startswith; metadata: tag 101, color info; sid: 2101;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "201"; startswith; metadata: tag 201, color info; sid: 2102;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "202"; startswith; metadata: tag 202, color info; sid: 2103;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "204"; startswith; metadata: tag 204, color info; sid: 2104;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "301"; startswith; metadata: tag 301, color info; sid: 2105;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "302"; startswith; metadata: tag 302, color info; sid: 2106;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "303"; startswith; metadata: tag 303, color info; sid: 2107;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "304"; startswith; metadata: tag 304, color info; sid: 2108;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "400"; startswith; metadata: tag 400, color info; sid: 2109;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "401"; startswith; metadata: tag 401, color info; sid: 2110;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; startswith; metadata: tag 403, color info; sid: 2111;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2112;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2113;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2114;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2115;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2116;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2117;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2118;)
alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2119;)
# Identify user agents and some common response messages (sid 3001-4000)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color info; sid: 3001;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color info; sid: 3002;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color info; sid: 3003;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color info; sid: 3004;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color info; sid: 3005;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color info; sid: 3006;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color info; sid: 3007;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color info; sid: 3008;)
alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color info; sid: 3009;)
# Common exploit payloads (sid 4001-5000)
alert ip any any -> any any (msg: "Found Bash space bypass '${IFS}'"; content: "|24 7b|IFS|7d|"; nocase; metadata: tag BASH IFS, color warning; sid: 4001;)
alert ip any any -> any any (msg: "Found Bash space bypass '$IFS'"; content: "|24|IFS"; nocase; metadata: tag BASH IFS, color warning; sid: 4002;)
alert ip any any -> any any (msg: "Found LaTeX '\include{'"; content: "|5c|include|7b|"; nocase; metadata: tag LATEX INC, color warning; sid: 4051;)
alert ip any any -> any any (msg: "Found LaTeX '\input{'"; content: "|5c|input|7b|"; nocase; metadata: tag LATEX INPUT, color warning; sid: 4052;)
alert ip any any -> any any (msg: "Found LaTeX '\lstinputlisting{'"; content: "|5c|lstinputlisting|7b|"; nocase; metadata: tag LATEX LST, color warning; sid: 4053;)
alert ip any any -> any any (msg: "Found LaTeX '\read\file'"; content: "|5c|read|5c|file"; nocase; metadata: tag LATEX READ, color warning; sid: 4054;)
alert ip any any -> any any (msg: "Found LaTeX '\verbatiminput{'"; content: "|5c|verbatiminput|7b|"; nocase; metadata: tag LATEX VERB, color warning; sid: 4055;)
alert ip any any -> any any (msg: "Found LaTeX '\write\outfile'"; content: "|5c|write|5c|outfile"; nocase; metadata: tag LATEX WRITE, color warning; sid: 4056;)
alert ip any any -> any any (msg: "Found LDAP 'commonName='"; content: "commonName|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4101;)
alert ip any any -> any any (msg: "Found LDAP 'givenName='"; content: "givenName|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4102;)
alert ip any any -> any any (msg: "Found LDAP 'objectClass='"; content: "objectClass|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4103;)
alert ip any any -> any any (msg: "Found LDAP 'userPassword='"; content: "userPassword|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4104;)
alert ip any any -> any any (msg: "Found NodeJS serialized function '_$$ND_FUNC$$_'"; content: "|5f 24 24|ND_FUNC|24 24 5f|"; nocase; metadata: tag NODEJS NDFUNC, color warning; sid: 4151;)
alert ip any any -> any any (msg: "Found path '/bin/'"; content: "/bin/"; metadata: tag BIN PATH, color warning; sid: 4201;)
alert ip any any -> any any (msg: "Found path '/dev/'"; content: "/dev/"; metadata: tag DEV PATH, color warning; sid: 4202;)
alert ip any any -> any any (msg: "Found path '/etc/'"; content: "/etc/"; metadata: tag ETC PATH, color warning; sid: 4203;)
alert ip any any -> any any (msg: "Found path '/proc/'"; content: "/proc/"; metadata: tag PROC PATH, color warning; sid: 4204;)
alert ip any any -> any any (msg: "Found path '/var/lib/'"; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4205;)
alert ip any any -> any any (msg: "Found path '/var/log/'"; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4206;)
alert ip any any -> any any (msg: "Found path 'file://'"; content: "file|3A|//"; nocase; metadata: tag FILE PATH, color warning; sid: 4207;)
alert ip any any -> any any (msg: "Found path 'gopher://'"; content: "gopher|3A|//"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4208;)
alert ip any any -> any any (msg: "Found path 'ldap://'"; content: "ldap|3A|//"; nocase; metadata: tag LDAP PATH, color warning; sid: 4209;)
alert ip any any -> any any (msg: "Found path 'phar://'"; content: "phar|3A|//"; nocase; metadata: tag PHAR PATH, color warning; sid: 4210;)
alert ip any any -> any any (msg: "Found path 'php://'"; content: "php|3A|//"; nocase; metadata: tag PHP PATH, color warning; sid: 4211;)
alert ip any any -> any any (msg: "Found path 'tftp://'"; content: "tftp|3A|//"; nocase; metadata: tag TFTP PATH, color warning; sid: 4212;)
alert ip any any -> any any (msg: "Found path 'zip://'"; content: "zip|3A|//"; nocase; metadata: tag ZIP PATH, color warning; sid: 4213;)
alert ip any any -> any any (msg: "Found path traversal '../..'"; content: "../.."; metadata: tag PATH TRAVERSAL, color warning; sid: 4214;)
alert ip any any -> any any (msg: "Found PHP '<?php' opening tag"; content: "<?php"; nocase; metadata: tag PHP TAG, color warning; sid: 4251;)
alert ip any any -> any any (msg: "Found PHP '$_FILES'"; content: "|24 5f|FILES"; nocase; metadata: tag PHP FILES, color warning; sid: 4252;)
alert ip any any -> any any (msg: "Found PHP '$_GET'"; content: "|24 5f|GET"; nocase; metadata: tag PHP GET, color warning; sid: 4253;)
alert ip any any -> any any (msg: "Found PHP '$_POST'"; content: "|24 5f|POST"; nocase; metadata: tag PHP POST, color warning; sid: 4254;)
alert ip any any -> any any (msg: "Found PHP 'echo system'"; content: "echo system"; nocase; metadata: tag PHP SYSTEM, color warning; sid: 4255;)
alert ip any any -> any any (msg: "Found PHP 'file_get_contents' call"; content: "file_get_contents"; nocase; metadata: tag PHP FGC, color warning; sid: 4256;)
alert ip any any -> any any (msg: "Found PHP 'halt_compiler' call"; content: "halt_compiler"; nocase; metadata: tag PHP HC, color warning; sid: 4257;)
alert ip any any -> any any (msg: "Found SQL 'array_to_string'"; content: "array_to_string"; nocase; metadata: tag SQL A2S, color warning; sid: 4301;)
alert ip any any -> any any (msg: "Found SQL 'regexp_count'"; content: "regexp_count"; nocase; metadata: tag SQL REGC, color warning; sid: 4302;)
alert ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4303;)
alert ip any any -> any any (msg: "Found SQL '::bytea'"; content: "|3A 3A|bytea"; nocase; metadata: tag SQL BYTEA, color warning; sid: 4304;)
alert ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4305;)
alert ip any any -> any any (msg: "Found SQL 'COALESCE('"; content: "COALESCE("; nocase; metadata: tag SQL COAL, color warning; sid: 4306;)
alert ip any any -> any any (msg: "Found SQL 'VARCHAR('"; content: "VARCHAR("; nocase; metadata: tag SQL VARC, color warning; sid: 4307;)
alert ip any any -> any any (msg: "Found XML '<!ENTITY'"; content: "|3c 21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4401;)
alert ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded)"; content: "|25|3C|25|21ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4402;)
alert ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4403;)
# Common side-channel indicators
alert ip any any -> any any (msg: "tag"; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag SLOW, color warning; sid: 5001;)
alert ip any any -> any any (msg: "Found TCP RST"; flow:to_server; flags: R+; metadata: tag RST, color warning; sid: 5002;)