openSUSE Build Service

File snort.sec of Package sec

####################################################################
#                Sample SEC ruleset for Snort IDS
#
# Copyright (C) 2003-2009 Risto Vaarandi
# This is free software. You may redistribute copies of it under the terms of 
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
####################################################################

# ------------------------------------------------------------------
# Handle portscans
# ------------------------------------------------------------------

# For every completed portscan, add an entry to the PORTSCAN_REPORT;
# also generate a meta-event ACTIVITY_FROM for the IP 

type=Single
ptype=RegExp
pattern=End of portscan from (([\d.]+).*)
desc=Portscan from $1
action=add PORTSCAN_REPORT %t: %s; event ACTIVITY_FROM_$2: %s


# ------------------------------------------------------------------
# Recognize snort alert message and generate corresponding SEC event
# ------------------------------------------------------------------

# recognize snort alert message; also generate 
# a meta-event ACTIVITY_FROM for the IP

type=Single
ptype=RegExp
pattern=snort(?:\[\d+\])?: \[[0-9:]+\] (.+|!Malware|!MALWARE) \[(.+)\] \[.*Priority: (\d+)\]: \S+ ([\d.]+):?\d* -> ([\d.]+):?\d*
desc=PRIORITY $3 INCIDENT FROM $4 TO $5: $1 [$2]
action=event %s; event ACTIVITY_FROM_$4: $1


## Detect if it's an unwanted event in snort
#type=Single
#ptype=RegExp
#pattern=(MALWARE|Malware)
#desc=$0
#action=create UNWANTED_EVENT


# ------------------------------------------------------------------
# Handle priority 1 incidents
# ------------------------------------------------------------------

# Detect the beginning of priority 1 attack from a certain source IP,
# and send a warning e-mail message that a new attack has begun;
# also create a context for storing a detailed information about the attack

type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM ([\d.]+) TO [\d.]+:
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 attack started from $1
action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s' \
       /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1' alerts@example.com


# For every priority 1 incident, add an entry to the context by its IP;
# if the IP has been quiet for 5 minutes, report the whole attack

type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM ([\d.]+) TO ([\d.]+): (.+)
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 incident from $1 to $2: $3
action=add ATTACK_FROM_$1 %t: %s; \ 
       set ATTACK_FROM_$1 300 ( report ATTACK_FROM_$1 \
       /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts@example.com )


# ------------------------------------------------------------------
# Handle incidents by thresholding
# ------------------------------------------------------------------

# Count how many _certain type_ of incidents are coming from one source
# if the threshold has been crossed, reset the counting operation started
# by the next rule, in order to avoid duplicate alerts for the same IP

type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY (\d+) INCIDENT FROM ([\d.]+) TO [\d.]+: (.+)
continue=TakeNext
desc=Snort has seen >= 30 priority $1 incidents from $2: $3
action=add ALERT_REPORT %t: %s; \
       reset +1 Snort has seen >= 150 incidents from $2; \
       create TURNOFF_$2 3600
thresh=30
window=3600


# Count how many incidents come from one source

type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY \d+ INCIDENT FROM ([\d.]+) TO [\d.]+:
context=!TURNOFF_$1
desc=Snort has seen >= 150 incidents from $1
action=add ALERT_REPORT %t: %s
thresh=150
window=7200


# ------------------------------------------------------------------
# Report IPs that have been active for some time
# ------------------------------------------------------------------

# Set up activity contexts for the IP; if the IP has been active for 2 hours, 
# and there have been no gaps longer than 30 minutes, report its activities

type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_([\d.]+):
context=!ACTIVITY_LIST_FOR_$1
continue=TakeNext
desc=Create activity contexts for $1
action=create ACTIVITY_LIST_FOR_$1_LIFETIME; \
       create ACTIVITY_LIST_FOR_$1 7200 ( report ACTIVITY_LIST_FOR_$1 \
       /usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts@example.com; \
       delete ACTIVITY_LIST_FOR_$1_LIFETIME )


# Add the activity event to the context of a given IP, and extend
# the lifetime of activity contexts for 30 minutes for the IP 

type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_([\d.]+): (.*)
context=ACTIVITY_LIST_FOR_$1
desc=Activity from $1: $2
action=add ACTIVITY_LIST_FOR_$1 %t: %s; \
       set ACTIVITY_LIST_FOR_$1_LIFETIME 1800 ( delete ACTIVITY_LIST_FOR_$1 )


# ------------------------------------------------------------------
# Send reports every day at 9:00 am
# ------------------------------------------------------------------

# send daily report about regular alerts

type=Calendar
time=0 12 * * *
desc=Sending alert report...
action=report ALERT_REPORT \
       /usr/bin/mail -s 'SNORT: Hourly alert report' alerts@example.com; \
       delete ALERT_REPORT


# send daily report about portscans

type=Calendar
time=0 9 * * *
desc=Sending portscan report...
action=report PORTSCAN_REPORT \
       /usr/bin/mail -s 'SNORT: daily portscan report' alerts@example.com; \
       delete PORTSCAN_REPORT
Places

File snort.sec of Package sec

Places
