Skip to content

Commit

Permalink
suricata/rules: reduce ENOWARS false positives
Browse files Browse the repository at this point in the history
  • Loading branch information
@aiooss-anssi
aiooss-anssi committed Jul 24, 2024
1 parent a480a83 commit 5ac091b
Showing 1 changed file with 5 additions and 6 deletions.
11 changes: 5 additions & 6 deletions suricata/rules/suricata.rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
# As PCRE is slow, please use a content filter before.
# Please test your regex at https://regex101.com/ using "PCRE2" mode.
# Some rules match also in 'file.data' in case of compressed payload.
# ENOWARS rules are disabled by default as they cause false positives
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 1;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; content:!"AAAAA="; distance: -6; metadata: tag FLAG OUT, color danger; sid: 2;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3d"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 3;)
Expand All @@ -21,11 +20,11 @@ alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_clie
alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 13;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; file.data; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 14;)
alert ip any any -> any any (msg: "A ECSC flag was send to server (probably by checkers)"; flow:to_server; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG IN, color success; sid: 15;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client"; flow:to_client; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG OUT, color danger; sid: 21;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client"; flow:to_client; file.data; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG OUT, color danger; sid: 22;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client (base64)"; flow:to_client; content: "RU5P"; pcre: "/RU5P[A-Za-z0-9\/+]{64}/, flow:match"; distance: -4; metadata: tag FLAG OUT B64, color danger; sid: 23;)
#alert ip any any -> any any (msg: "A ENOWARS flag was sent to client (base64)"; flow:to_client; file.data; content: "RU5P"; pcre: "/RU5P[A-Za-z0-9\/+]{64}/, flow:match"; distance: -4; metadata: tag FLAG OUT B64, color danger; sid: 24;)
#alert ip any any -> any any (msg: "A ENOWARS flag was placed in our services (probably by checkers)"; flow:to_server; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG IN, color success; sid: 25;)
alert ip any any -> any any (msg: "A ENOWARS flag was sent to client"; flow:to_client; content: "ENO"; pcre: "/(ENO[A-Za-z0-9+\/]{2}AAA[A-Za-z0-9+\/]{2}AAA[A-Za-z0-9+\/]{4}AA[A-Za-z0-9+\/]{3}AA[A-Za-z0-9+\/]{27})/, flow:match"; distance: -3; metadata: tag FLAG OUT, color danger; sid: 21;)
alert ip any any -> any any (msg: "A ENOWARS flag was sent to client"; flow:to_client; file.data; content: "ENO"; pcre: "/(ENO[A-Za-z0-9+\/]{2}AAA[A-Za-z0-9+\/]{2}AAA[A-Za-z0-9+\/]{4}AA[A-Za-z0-9+\/]{3}AA[A-Za-z0-9+\/]{27})/, flow:match"; distance: -3; metadata: tag FLAG OUT, color danger; sid: 22;)
alert ip any any -> any any (msg: "A ENOWARS flag was sent to client (base64)"; flow:to_client; content: "RU5P"; pcre: "/(RU5P[A-Za-z0-9]{3}BQU[A-Za-z0-9]{4}FBQ[A-Za-z0-9]{6}BQ[A-Za-z0-9]{5}FB[A-Za-z0-9]{36})/, flow:match"; distance: -4; metadata: tag FLAG OUT B64, color danger; sid: 23;)
alert ip any any -> any any (msg: "A ENOWARS flag was sent to client (base64)"; flow:to_client; file.data; content: "RU5P"; pcre: "/(RU5P[A-Za-z0-9]{3}BQU[A-Za-z0-9]{4}FBQ[A-Za-z0-9]{6}BQ[A-Za-z0-9]{5}FB[A-Za-z0-9]{36})/, flow:match"; distance: -4; metadata: tag FLAG OUT B64, color danger; sid: 24;)
alert ip any any -> any any (msg: "A ENOWARS flag was placed in our services (probably by checkers)"; flow:to_server; content: "ENO"; pcre: "/(ENO[A-Za-z0-9+\/]{2}AAA[A-Za-z0-9+\/]{2}AAA[A-Za-z0-9+\/]{4}AA[A-Za-z0-9+\/]{3}AA[A-Za-z0-9+\/]{27})/, flow:match"; distance: -3; metadata: tag FLAG IN, color success; sid: 25;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client"; flow:to_client; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG OUT, color danger; sid: 31;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client"; flow:to_client; file.data; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG OUT, color danger; sid: 32;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; content: "RkFVU1Rf"; pcre: "/(RkFVU1Rf[A-Za-z0-9\/+]{43}=)/, flow:match"; distance: -8; metadata: tag FLAG OUT B64, color danger; sid: 33;)
Expand Down

0 comments on commit 5ac091b

Please sign in to comment.