Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → suricata-rules → Suricata Rules

suricata-rules / Suricata Rules

Suricata IDS rules 用来检测红队渗透/恶意行为等，支持检测CobaltStrike/MSF/Empire/DNS隧道/Weevely/菜刀/冰蝎/挖矿/反弹shell/ICMP隧道等

Labels

security ids suricata

Projects that are alternatives of or similar to Suricata Rules

gonids

gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/

Stars: ✭ 140 (-64.74%)

Mutual labels: suricata, ids

docker-suricata

A Suricata Docker image.

Stars: ✭ 120 (-69.77%)

Mutual labels: suricata, ids

Py Idstools

idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)

Stars: ✭ 205 (-48.36%)

Mutual labels: ids, suricata

Selks

A Suricata based IDS/IPS distro

Stars: ✭ 707 (+78.09%)

Mutual labels: ids, suricata

Suricata Update

The tool for updating your Suricata rules.

Stars: ✭ 143 (-63.98%)

Mutual labels: ids, suricata

TheBriarPatch

An extremely crude, lightweight Web Frontend for Suricata/Bro to be used with BriarIDS

Stars: ✭ 21 (-94.71%)

Mutual labels: suricata, ids

Evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search

Stars: ✭ 286 (-27.96%)

Mutual labels: ids, suricata

docker-zeek

Zeek IDS Dockerfile

Stars: ✭ 82 (-79.35%)

Mutual labels: ids

bsmtrace

BSM based intrusion detection system

Stars: ✭ 31 (-92.19%)

Mutual labels: ids

graylog-zeek-content-pack

BRO/Zeek IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index BRO/Zeek logs coming from a remote sensor.

Stars: ✭ 18 (-95.47%)

Mutual labels: ids

Wazuh Ruleset

Wazuh - Ruleset

Stars: ✭ 305 (-23.17%)

Mutual labels: ids

nsm-attack

Mapping NSM rules to MITRE ATT&CK

Stars: ✭ 53 (-86.65%)

Mutual labels: suricata

ids

高效的分布式id生成器，每个客户端实例tps可达到100万，服务端毫无压力。即使服务端宕机了，id生成依然可用。支持多数据中心，支持id加密。

Stars: ✭ 47 (-88.16%)

Mutual labels: ids

NIDS-Intrusion-Detection

Simple Implementation of Network Intrusion Detection System. KddCup'99 Data set is used for this project. kdd_cup_10_percent is used for training test. correct set is used for test. PCA is used for dimension reduction. SVM and KNN supervised algorithms are the classification algorithms of project. Accuracy : %83.5 For SVM , %80 For KNN

Stars: ✭ 45 (-88.66%)

Mutual labels: ids

Security Onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

Stars: ✭ 2,956 (+644.58%)

Mutual labels: ids

altprobe

collector for XDR and security posture service

Stars: ✭ 62 (-84.38%)

Mutual labels: suricata

Qnsm

QNSM is network security monitoring framework based on DPDK.

Stars: ✭ 334 (-15.87%)

Mutual labels: suricata

Sigma

Generic Signature Format for SIEM Systems

Stars: ✭ 4,418 (+1012.85%)

Mutual labels: ids

Hashids.js

A small JavaScript library to generate YouTube-like ids from numbers.

Stars: ✭ 3,525 (+787.91%)

Mutual labels: ids

brimcap

Convert pcap files into richly-typed ZNG summary logs (Zeek, Suricata, and more)

Stars: ✭ 22 (-94.46%)

Mutual labels: suricata

View All Similar Projects ➔

suricata-rules

Suricata是一个优秀的开源入侵检测系统，此项目记录安全运营人员提取的高质量Suricata IDS规则,欢迎大家提交。

规则编写要求如下

每个规则对应新建目录如下

webshell检测	#规则目录名称-按照对应检测规则描述清楚即可
- webshell.pcap	#规则对应的pcap包，尽量以flow的形式保存
- websehll.rules	#自己提取的规则文件，尽量测试过提交。
- README	#可以描述一些规则相关的东西，便于他人理解，支持Markdown

规则目录

目录以单个CVE，黑客工具，威胁类型来命名，如果有对应规则目录，建议存放至已有规则目录中。

规则对应pcap包

规则对应的pcap通过Wireshark筛选后，利用菜单文件--保存特定分组--选择pcap格式上传。
便于识别恶意流数据，也是最小的，便于移动和备份

规则.rules

规则文件命名随意，但后缀必须为rules，如：webshell_caidao.rules
文件中可以出现多个规则文件，README备注中写明

规则内容建议如下：

示例

sid类型：
0~1000000   Sourcefire VRT 保留
2000001~2999999     EMerging Threats(ET)
3000000~3999999     公用
网络扫描    3000000～3000999
暴力破解    3001000～3001999
漏洞利用    3002000～3002999
后门链接    3003000～3003999
WebShell    3004000～3004999
病毒木马    3005000～3005999
间谍软件    3006000～3006999
安全认证    3007000～3007999
代码执行    3008000～3008999
文件还原    3009000～3009999
文件传输    3010000～3010999
可疑DNS     3011000～3011999
HTTP请求    3012000～3012999
恶意行为    3013000～3013999
违规操作    3014000～3014999
敏感信息泄漏    3015000～3015999
黑客工具    3016000～3016999
挖矿    3017000～3017999
rev为规则版本每次修改递增，metadata添加创建日期与创建人
reference为引用来源/参考资料，例如某CVE编号，或者修复方案，攻击说明等。
alert http any any -> any any (msg:"webshell_caidao_php"; flow:established; content:"POST";
http_method; content:".php"; http_uri; content:"base64_decode"; http_client_body;  sid:3004001; 
rev:1; metadata:created_at 2018_11_14, by al0ne;)

注

本项目根目录文件说明

suricata-ids.rules	#所有规则的集合，更新时直接下载规则文件替换。
disable.conf	#分析过程中记录Suricata禁用规则(无效、误报等情况)
sid.txt 	#记录了所有规则的sid 避免重复，每次添加规则后必须更新sid.txt文件。

致谢

项目主要参与人员

al0ne (https://github.com/al0ne)
Charmly (https://github.com/Charm1y)
lrvy (https://github.com/lrvy)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 397

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗