From 549089a970e39d1ea09c10af5eaf8f696dd19d40 Mon Sep 17 00:00:00 2001 From: Maxime THIEBAUT <46688461+0xThiebaut@users.noreply.github.com> Date: Wed, 1 May 2024 22:16:03 +0200 Subject: suricata: T751: Initial support for suricata --- interface-definitions/service_ids_suricata.xml.in | 250 ++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 interface-definitions/service_ids_suricata.xml.in (limited to 'interface-definitions/service_ids_suricata.xml.in') diff --git a/interface-definitions/service_ids_suricata.xml.in b/interface-definitions/service_ids_suricata.xml.in new file mode 100644 index 000000000..8c1973567 --- /dev/null +++ b/interface-definitions/service_ids_suricata.xml.in @@ -0,0 +1,250 @@ + + + + + + + + + Network IDS, IPS and Network Security Monitoring + 740 + + + #include + + + Address group name + + home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server + + + [a-z0-9-]+ + + + + + + IP address or subnet + + ipv4 + IPv4 address to match + + + ipv6 + IPv6 address to match + + + ipv4net + IPv4 prefix to match + + + ipv6net + IPv6 prefix to match + + + !ipv4 + Exclude the specified IPv4 address from matches + + + !ipv6 + Exclude the specified IPv6 address from matches + + + !ipv4net + Exclude the specified IPv6 prefix from matches + + + !ipv6net + Exclude the specified IPv6 prefix from matches + + + + + + + + + + + + + + + + + Address group + + service ids suricata address-group + home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server + + + string + Address group to match + + + !string + Exclude the specified address group from matches + + + !?[a-z0-9-]+ + + + + + + + + + Port group name + + http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports + + + [a-z0-9-]+ + + + + + + Port number + + u32:1-65535 + Numeric port to match + + + !u32:1-65535 + Numeric port to exclude from matches + + + start-end + Numbered port range (e.g. 1001-1005) to match + + + !start-end + Numbered port range (e.g. !1001-1005) to exclude from matches + + + + + + + + + + + Port group + + service ids suricata port-group + http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports + + + string + Port group to match + + + !string + Exclude the specified port group from matches + + + !?[a-z0-9-]+ + + + + + + + + + Suricata log outputs + + + + + Extensible Event Format (EVE) + + + + + EVE logging destination + + regular syslog + + + regular + Log to filename + + + syslog + Log to syslog + + + (regular|syslog) + + + regular + + + + Log file + + filename + File name in default Suricata log directory + + + /path + Absolute file path + + + eve.json + + + + Log types + + alert anomaly drop files http dns tls smtp dnp3 ftp rdp nfs smb tftp ikev2 dcerpc krb5 snmp rfb sip dhcp ssh mqtt http2 flow netflow + + + alert + Record events for rule matches + + + anomaly + Record unexpected conditions such as truncated packets, packets with invalid IP/UDP/TCP length values, and other events that render the packet invalid for further processing or describe unexpected behavior on an established stream + + + drop + Record events for dropped packets + + + file + Record file details (e.g., MD5) for files extracted from application protocols (e.g., HTTP) + + + application (http, dns, tls, ...) + Record application-level transactions + + + flow + Record bi-directional flows + + + netflow + Record uni-directional flows + + + (alert|anomaly|http|dns|tls|files|drop|smtp|dnp3|ftp|rdp|nfs|smb|tftp|ikev2|dcerpc|krb5|snmp|rfb|sip|dhcp|ssh|mqtt|http2|flow|netflow) + + + + + + + + + + + + + + + -- cgit v1.2.3