写一个suricata文件上传漏洞的规则
时间: 2023-11-17 18:21:32 浏览: 32
alert http any any -> any any (msg:"Suricata File Upload Vulnerability"; filemagic:"PE"; content:"MZ"; content:"This program cannot be run in DOS mode"; threshold:type limit, track by_src, count 1, seconds 60; sid:1000001; rev:1;)
该规则主要是监控HTTP流量中的文件上传行为,并检测上传的文件是否包含PE文件头(以“MZ”开头)和特定的字符串“This program cannot be run in DOS mode”,以此判断文件是否为恶意文件。同时,该规则还使用了threshold特性,限制了同一IP地址在60秒内只能上传一次文件。如果满足条件,则触发“Suricata File Upload Vulnerability”的警报,并记录SID和REV。
相关问题
写一个HTTP协议文件上传漏洞的suricata规则
alert http any any -> any any (msg:"HTTP文件上传漏洞检测"; flow:to_server,established; file_data; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22|"; nocase; content:"filename=|22|"; nocase; pcre:"/filename=[^;]+?\.(php|pl|py|jsp|asp|aspx|exe|dll|sh)/U"; reference:url,https://www.owasp.org/index.php/Unrestricted_File_Upload; classtype:attempted-user; sid:1000001; rev:1;)
写一个针对文件包含漏洞的suricata规则
alert http any any -> any any (msg:"File Inclusion Vulnerability Detected"; flow:to_server,established; content:"GET"; http_method; content:"../"; http_uri; sid:100001; rev:1;)
解释:
- alert: 规则发现异常行为时产生警报
- http:协议类型
- any any -> any any:源IP和端口、目标IP和端口均不限
- msg: 规则描述信息
- flow:to_server,established:过滤出已建立连接的客户端向服务器发送的请求流量
- content:"GET"; http_method:匹配HTTP请求方法为GET的流量
- content:"../"; http_uri:匹配URI中包含../的流量
- sid:100001:规则ID
- rev:1:规则版本号