From 92a8fcd5d834267e37aa4480e040b4f09ec14417 Mon Sep 17 00:00:00 2001 From: aiooss-anssi Date: Thu, 11 Jul 2024 13:58:54 +0200 Subject: [PATCH] suricata/rules: make some warnings only info --- suricata/rules/suricata.rules | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules index 2ec9e50..ae195eb 100644 --- a/suricata/rules/suricata.rules +++ b/suricata/rules/suricata.rules @@ -78,22 +78,22 @@ alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; start alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2110;) alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2111;) alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2112;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color warning; sid: 2113;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color warning; sid: 2114;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color warning; sid: 2115;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color warning; sid: 2116;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color warning; sid: 2117;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2113;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2114;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2115;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2116;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2117;) # Identify user agents and some common response messages (sid 3001-4000) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color warning; sid: 3001;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color warning; sid: 3002;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color warning; sid: 3003;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color warning; sid: 3004;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color warning; sid: 3005;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color warning; sid: 3006;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color warning; sid: 3007;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color warning; sid: 3008;) -alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color warning; sid: 3009;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color info; sid: 3001;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color info; sid: 3002;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color info; sid: 3003;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color info; sid: 3004;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color info; sid: 3005;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color info; sid: 3006;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color info; sid: 3007;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color info; sid: 3008;) +alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color info; sid: 3009;) # Common exploit payloads (sid 4001-5000) alert ip any any -> any any (msg: "Found Bash space bypass '${IFS}'"; content: "|24 7b|IFS|7d|"; nocase; metadata: tag BASH IFS, color warning; sid: 4001;)