# This file posits that you're trying to defend the 192.168.1.0 class C network

# we're trying to log data to "sensitive" ports, plus alert on truly suspicious activity

# some of these things may not be suspicious in your network environment, but we run a 
# fairly tight network (access wise) where I work, so most every alert rule for specific
# network rules shown here applies in my case

# if you need help writing a specific rule, feel free to drop me a line!

#  -Marty (roesch@clark.net)


##################################
# alert on interesting packets
##################################

# look for stealth port scans/sweeps
alert tcp any any -> 192.168.1.0/24 any <SYN FIN Scan> {SF}
alert tcp any any -> 192.168.1.0/24 any <FIN Scan> {F}
alert tcp any any -> 192.168.1.0/24 any <NULL Scan> {}
alert tcp any any -> 192.168.1.0/24 any <XMAS Scan> {FPU}

# find backdoor attempts
alert udp any any -> 192.168.1.0/24 31337 <Back Orifice>
alert tcp any any -> 192.168.1.0/24 12345 <Netbus>
alert tcp any any -> 192.168.1.0/24 12346 <Netbus>
alert tcp any any -> 192.168.1.0/24 10752 <Linux mountd backdoor>
alert udp any any -> 192.168.1.0/24 2140 <Deep Throat>

# NT SNMP user list
alert udp any any -> 192.168.1.0/24 161 <NT user list> [|2b 06 01 04 01 4d 01 02 19|]

# other interesting ports....
alert udp any any -> 192.168.1.0/24 161 <SNMP traffic>
alert tcp any any -> 192.168.1.0/24 143 <IMAP traffic>
alert tcp any any -> 192.168.1.0/24 512 <REXEC traffic>
alert tcp any any -> 192.168.1.0/24 513 <RSH traffic>
alert tcp any any -> 192.168.1.0/24 514 <RLOGIN traffic>
alert udp any any -> 192.168.1.0/24 194 <IRC traffic>
alert tcp any any -> 192.168.1.0/24 194 <IRC traffic>
alert tcp any any -> 192.168.1.0/24 111 <Portmap traffic>
alert udp any any -> 192.168.1.0/24 111 <Portmap traffic>
alert tcp any any -> 192.168.1.0/24 32771 <Sun portmap traffic>
alert udp any any -> 192.168.1.0/24 32771 <Sun portmap traffic>

# token DoS detector
alert udp 192.168.1.0/24 7 -> 192.168.1.0/24 19 <UDP bomb>
alert udp 192.168.1.0/24 19 -> 192.168.1.0/24 7 <UDP bomb>

# alert on incoming phf attacks
alert tcp any any -> 192.168.1.0/24 80 [/cgi-bin/phf] <Possible PHF Attack>

# x86 buffer overflows, put the specifics before the general case
alert tcp any any -> 192.168.1.0/24 143 <IMAP buffer overflow!> [|E8 C0FF FFFF|/bin/sh]
alert tcp any any -> 192.168.1.0/24 53 <DNS buffer overflow!> [|80E8 D7FF FFFF|/bin/sh]

# this one looks for the bunch of NOP's before the actual exploit string
alert tcp any any -> 192.168.1.0/24 any <Possible x86 buffer overflow> [|9090 9090 9090 9090 9090|]

# netbios crap
alert udp any any -> 192.168.1.0/24 137 <SMB Name Wildcard> [CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|]
alert tcp any any -> 192.168.1.0/24 139 <Samba client access> [|00|Unix|00|Samba]
alert tcp any any -> 192.168.1.0/24 139 <SMB CD...> [\...|00 00 00|]
alert tcp any any -> 192.168.1.0/24 139 <SMB CD..> [\..|2f 00 00 00|]
alert tcp any any -> 192.168.1.0/24 139 <SMB C$ access> [\C$|00 41 3a 00|]
alert tcp any any -> 192.168.1.0/24 139 <SMB D$ access> [\D$|00 41 3a 00|]
alert tcp any any -> 192.168.1.0/24 139 <SMB ADMIN$ access> [\ADMIN$|00 41 3a 00|]

# alert on stuff going where it probably shouldn't be
alert tcp any 53 -> 192.168.1.0/24 :1024 <Source Port traffic>
alert tcp any 25 -> 192.168.1.0/24 :1024 <Source Port traffic>
alert tcp any :1024 -> 192.168.1.0/24 :1024 <Source Port traffic>

#log all ICMP traffic
log icmp any any -> any any

#log all TCP/UDP traffic

# all tcp traffic below port 1024
log tcp any any -> 192.168.1.0/24 :1024 

# grab xwindows traffic
log tcp any any -> 192.168.1.0/24 6000:6010 

# high port RPC stuff too
log tcp any any -> 192.168.1.0/24 32000:33000 

# do the same for UDP
log udp any any -> 192.168.1.0/24 :2000 
log udp any any -> 192.168.1.0/24 32000:33000