一.定义http攻击类型
编辑classification.config文件,为HTTP协议增加以下类别,并设定相应的priority
HTTP协议是明文传输,其流量特征存在于URL地址,POST请求正文,请求头或响应头,文件上传的情况(POST请求正文)
config classification: web-status-error, web服务器状态异常, 4 config classification: web-scan-attack, web页面扫描攻击, 2 config classification: web-sql-injection, SQL注入攻击, 1 config classification: web-xss-attack, XSS跨站攻击, 2 config classification: web-ssrf-attack, SSRF跨站攻击, 2 config classification: web-shell-attack, 站点木马植入, 1 config classification: web-file-upload, 文件上传异常, 1
二.URL地址栏异常
1.状态码异常
# 状态码异常
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现404."; content:"404"; http_stat_code; classtype:web-status-error; sid:561001; rev:1;)
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现403."; content:"404"; http_stat_code; classtype:web-status-error; sid:561002; rev:1;)
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现500."; content:"404";
http_stat_code; classtype:web-status-error; sid:561003; rev:1;)
# 扫描攻击
alert http any any <> $HOME_NET 8443 (msg:"Web服务器出现404."; content:"404";
http_stat_code; threshold:type threshold, track by_src, count 5, seconds 20;
classtype:web-scan-attack; sid:561004; )
2.SQL注入攻击
# SQL注入攻击
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-union."; content:"union"; http_uri; nocase; classtype:web-sql-injection; sid:561001; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-union."; content:"select"; http_uri; nocase; classtype:web-sql-injection; sid:562001; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-ordey by."; content:"order by"; http_uri; nocase; classtype:web-sql-injection; sid:562002; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-database()."; content:"database()"; http_uri; nocase; classtype:web-sql-injection; sid:562003; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-version()."; content:"version()"; http_uri; nocase; classtype:web-sql-injection; sid:562004; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-user()."; content:"user()"; http_uri; nocase; classtype:web-sql-injection; sid:562005; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-updatexml(."; content:"updatexml(";
http_uri; nocase; classtype:web-sql-injection; sid:562006; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-extract(."; content:"extract(";
http_uri; nocase; classtype:web-sql-injection; sid:562007; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-and."; content:"|20|and|20|"; http_uri; nocase; classtype:web-sql-injection; sid:562008; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-or."; content:"|20|or|20|"; http_uri; nocase; classtype:web-sql-injection; sid:562009; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-| |."; content:"|7C 7C|"; http_uri; nocase; classtype:web-sql-injection; sid:562010; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-and."; content:"&&"; http_uri; nocase; classtype:web-sql-injection; sid:562011; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击-#."; content:"|23|"; http_uri; nocase; classtype:web-sql-injection; sid:562012; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击---."; content:"--"; http_uri; nocase; classtype:web-sql-injection; sid:562013; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击---."; content:"--"; http_uri; pcre:"/\+*|\s*/i"; nocase; classtype:web-sql-injection; sid:562014; rev:1;)
alert http any any -> $HOME_NET 8443 (msg:"SQL注入攻击."; content:"="; http_uri; pcre:"/union|select|from|updatexml|extract|database\
(|user\(|version\(|information_schema|where|columns|--\
s+|--\++|\s+and\s+|\s+or\s+|\|\||&&/i";
classtype:web-sql-injection; sid:562015; rev:1;)
标签:web,http,Suricata,content,8443,HOME,识别,any From: https://www.cnblogs.com/eveplw/p/16608436.html