suricata/rules: make some warnings only info

ANSSI-FR · Jul 11, 2024 · 92a8fcd · 92a8fcd
1 parent fc87b98
commit 92a8fcd
Showing 1 changed file with 14 additions and 14 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -78,22 +78,22 @@ alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; start
 alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2110;)
 alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2111;)
 alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2112;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color warning; sid: 2113;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color warning; sid: 2114;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color warning; sid: 2115;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color warning; sid: 2116;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color warning; sid: 2117;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2113;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2114;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2115;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2116;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2117;)
 
 # Identify user agents and some common response messages (sid 3001-4000)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color warning; sid: 3001;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color warning; sid: 3002;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color warning; sid: 3003;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color warning; sid: 3004;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color warning; sid: 3005;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color warning; sid: 3006;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color warning; sid: 3007;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color warning; sid: 3008;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color warning; sid: 3009;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color info; sid: 3001;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color info; sid: 3002;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color info; sid: 3003;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color info; sid: 3004;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color info; sid: 3005;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color info; sid: 3006;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color info; sid: 3007;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color info; sid: 3008;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color info; sid: 3009;)
 
 # Common exploit payloads (sid 4001-5000)
 alert ip any any -> any any (msg: "Found Bash space bypass '${IFS}'"; content: "|24 7b|IFS|7d|"; nocase; metadata: tag BASH IFS, color warning; sid: 4001;)