Skip to content

Commit 1427f59

Browse files
aleksibovellanaleksibovellan
authored
Update local.rules
1 parent 8de6893 commit 1427f59

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

local.rules

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,25 @@
1-
# Nmap Detection without scan port ranges:
1+
# Nmap Detection without port ranges - the basic Nmap scans 1000 first ports:
22

33
alert tcp any any -> any any (msg:"POSSIBLE NMAP TCP (-sT,-sS)"; flow:stateless; flags:S,12; reference:arachnids,198; classtype:attempted-recon; sid:1000004; priority:5; rev:9; threshold:type threshold, track by_src, count 1000, seconds 2700;)
44
alert udp any any -> any any (msg:"POSSIBLE NMAP UDP (-sU)"; flow:stateless; classtype:attempted-recon; sid:1000005; priority:5; rev:6; threshold:type threshold, track by_src, count 10, seconds 300; dsize:0;)
55
alert ip any any -> any any (msg:"POSSIBLE NMAP FRAGM (-f)"; fragbits:M; threshold:type threshold, track by_src, count 1000, seconds 2700; classtype:attempted-recon; sid:1000006; rev:1;)
66

7-
# Nmap Detection with more specific and known scan port ranges:
7+
# Nmap Detection with more specific and known port ranges - tuned for slower Nmap scans:
88

9-
alert tcp any any -> any [20,21,22,23,25,88,110,135,137,138,139,161,389,445,465,514,587,636,995,1025,1026,1027,1028,1029,1433,1720,3306,3389,5900,8443,11211,27017] (msg:"POSSIBLE NMAP KNOWN TCP (-sT,-sS)"; flow:stateless; flags:S,12; dsize:<60; classtype:attempted-recon; sid:1000007; priority:5; rev:14; threshold:type threshold, track by_src, count 4, seconds 1200;)
10-
alert udp any any -> any [69,161,162,389,520,1026,1027,1028,1029,12345,11211,27017] (msg:"POSSIBLE NMAP KNOWN UDP (-sU)"; flow:stateless; classtype:attempted-recon; sid:1000008; priority:5; rev:7; threshold:type limit, track by_src, count 4, seconds 1200;)
11-
alert ip any any -> any any (msg:"POSSIBLE NMAP KNOWN FRAGM (-f)"; fragbits:M+D; threshold:type limit, track by_src, count 4, seconds 1200; classtype:attempted-recon; sid:1000009; rev:6;)
9+
alert tcp any any -> any [20,21,22,23,25,80,88,110,135,137,138,139,161,389,445,465,514,587,636,995,1025,1026,1027,1028,1029,1433,1720,3306,3389,5900,8443,11211,27017] (msg:"POSSIBLE NMAP KNOWN TCP (-sT,-sS)"; flow:stateless; flags:S,12; dsize:<60; classtype:attempted-recon; sid:1000007; priority:5; rev:14; threshold:type threshold, track by_src, count 10, seconds 30;)
10+
alert udp any any -> any [69,161,162,389,520,1026,1027,1028,1029,12345,11211,27017] (msg:"POSSIBLE NMAP KNOWN UDP (-sU)"; flow:stateless; classtype:attempted-recon; sid:1000008; priority:5; rev:7; threshold:type limit, track by_src, count 20, seconds 1200;)
11+
alert ip any any -> any any (msg:"POSSIBLE NMAP KNOWN FRAGM (-f)"; fragbits:M+D; threshold:type limit, track by_src, count 20, seconds 1200; classtype:attempted-recon; sid:1000009; rev:6;)
12+
13+
# Metasploit / Meterpreter / Netcat commonly associated port 4444 connection warnings:
14+
15+
# TCP source port: 4444
16+
alert tcp any 4444 -> any any (msg:"POSSIBLE METASPLOIT REVERSE SHELL OR TCP SCAN"; classtype:trojan-activity; sid:1000010; rev:1;)
17+
18+
# UDP source port: 4444
19+
alert udp any 4444 -> any any (msg:"POSSIBLE METASPLOIT REVERSE SHELL OR UDP SCAN"; classtype:trojan-activity; sid:1000011; rev:1;)
20+
21+
# TCP destination port: 4444
22+
alert tcp any any -> any 4444 (msg:"POSSIBLE METASPLOIT BIND SHELL OR TCP SCAN"; classtype:trojan-activity; sid:1000012; rev:2;)
23+
24+
# UDP destination port: 4444
25+
alert udp any any -> any 4444 (msg:"POSSIBLE METASPLOIT BIND SHELL OR UDP SCAN"; classtype:trojan-activity; sid:1000013; rev:2;)

0 commit comments

Comments
 (0)