adampielak · December 3, 2025 12:06
diff --git a/suricata-custom-rules-detection.rules b/suricata-custom-rules-detection.rules
 # Suricata Custom Detection Rules
 # Location: /etc/suricata/rules/custom-local.rules
 # Purpose: Custom rules for port scanning, DNS anomalies, C2, and exfiltration detection

 # ============================================================================
 # Port Scan Detection
 # ============================================================================

 # Detect Nmap SYN scan
 alert tcp any any -> $HOME_NET any (msg:"SCAN Nmap SYN scan detected"; flags:S,12; threshold: type threshold, track by_src, count 20, seconds 10; classtype:attempted-recon; sid:1000001; rev:1;)

 # Detect Masscan
 alert tcp any any -> $HOME_NET any (msg:"SCAN Masscan detected"; flow:to_server; flags:S,12; window:1024; threshold: type threshold, track by_src, count 50, seconds 5; classtype:attempted-recon; sid:1000002; rev:1;)

 # Detect UDP port scan
 alert udp any any -> $HOME_NET any (msg:"SCAN UDP port scan"; threshold: type threshold, track by_dst, count 100, seconds 10; classtype:attempted-recon; sid:1000003; rev:1;)

 # ============================================================================
 # Malicious DNS Activity Detection
 # ============================================================================

 # DNS tunneling detection
 alert dns any any -> any any (msg:"DNS Possible DNS Tunneling - High Entropy"; dns.query; content:"."; pcre:"/^[a-z0-9]{50,}/i"; classtype:trojan-activity; sid:1000010; rev:1;)

 # DGA domain detection
 alert dns any any -> any any (msg:"DNS Possible DGA Domain"; dns.query; pcre:"/^[a-z]{20,}\.com/i"; classtype:trojan-activity; sid:1000011; rev:1;)

 # DNS exfiltration - large TXT records
 alert dns any 53 -> $HOME_NET any (msg:"DNS Large TXT Record Response"; dns.query; dns.rrtype:TXT; byte_test:2,>,500,0,relative; classtype:policy-violation; sid:1000012; rev:1;)

 # ============================================================================
 # Command & Control Traffic Detection
 # ============================================================================

 # Suspicious beaconing behavior
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Possible Beaconing - Regular Intervals"; flow:to_server,established; threshold: type both, track by_src, count 10, seconds 300; classtype:trojan-activity; sid:1000020; rev:1;)

 # Detect Cobalt Strike default beacons
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Possible Cobalt Strike Beacon"; flow:established,to_server; content:"MZARUH"; fast_pattern; classtype:trojan-activity; sid:1000021; rev:1;)

 # Suspicious User-Agent strings
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Suspicious User-Agent"; flow:to_server,established; content:"User-Agent|3a 20|curl"; http_header; classtype:trojan-activity; sid:1000022; rev:1;)

 # ============================================================================
 # Data Exfiltration Detection
 # ============================================================================

 # Large file upload
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EXFIL Large POST Request"; flow:to_server,established; http.method; content:"POST"; byte_test:4,>,1000000,0,relative; classtype:policy-violation; sid:1000030; rev:1;)

 # Uncommon protocols on common ports
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"EXFIL Non-TLS traffic on 443"; flow:to_server,established; content:!"|16 03|"; depth:2; classtype:protocol-command-decode; sid:1000031; rev:1;)
	# Suricata Custom Detection Rules
	# Location: /etc/suricata/rules/custom-local.rules
	# Purpose: Custom rules for port scanning, DNS anomalies, C2, and exfiltration detection

	# ============================================================================
	# Port Scan Detection
	# ============================================================================

	# Detect Nmap SYN scan
	alert tcp any any -> $HOME_NET any (msg:"SCAN Nmap SYN scan detected"; flags:S,12; threshold: type threshold, track by_src, count 20, seconds 10; classtype:attempted-recon; sid:1000001; rev:1;)

	# Detect Masscan
	alert tcp any any -> $HOME_NET any (msg:"SCAN Masscan detected"; flow:to_server; flags:S,12; window:1024; threshold: type threshold, track by_src, count 50, seconds 5; classtype:attempted-recon; sid:1000002; rev:1;)

	# Detect UDP port scan
	alert udp any any -> $HOME_NET any (msg:"SCAN UDP port scan"; threshold: type threshold, track by_dst, count 100, seconds 10; classtype:attempted-recon; sid:1000003; rev:1;)

	# ============================================================================
	# Malicious DNS Activity Detection
	# ============================================================================

	# DNS tunneling detection
	alert dns any any -> any any (msg:"DNS Possible DNS Tunneling - High Entropy"; dns.query; content:"."; pcre:"/^[a-z0-9]{50,}/i"; classtype:trojan-activity; sid:1000010; rev:1;)

	# DGA domain detection
	alert dns any any -> any any (msg:"DNS Possible DGA Domain"; dns.query; pcre:"/^[a-z]{20,}\.com/i"; classtype:trojan-activity; sid:1000011; rev:1;)

	# DNS exfiltration - large TXT records
	alert dns any 53 -> $HOME_NET any (msg:"DNS Large TXT Record Response"; dns.query; dns.rrtype:TXT; byte_test:2,>,500,0,relative; classtype:policy-violation; sid:1000012; rev:1;)

	# ============================================================================
	# Command & Control Traffic Detection
	# ============================================================================

	# Suspicious beaconing behavior
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Possible Beaconing - Regular Intervals"; flow:to_server,established; threshold: type both, track by_src, count 10, seconds 300; classtype:trojan-activity; sid:1000020; rev:1;)

	# Detect Cobalt Strike default beacons
	alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Possible Cobalt Strike Beacon"; flow:established,to_server; content:"MZARUH"; fast_pattern; classtype:trojan-activity; sid:1000021; rev:1;)

	# Suspicious User-Agent strings
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Suspicious User-Agent"; flow:to_server,established; content:"User-Agent\|3a 20\|curl"; http_header; classtype:trojan-activity; sid:1000022; rev:1;)

	# ============================================================================
	# Data Exfiltration Detection
	# ============================================================================

	# Large file upload
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EXFIL Large POST Request"; flow:to_server,established; http.method; content:"POST"; byte_test:4,>,1000000,0,relative; classtype:policy-violation; sid:1000030; rev:1;)

	# Uncommon protocols on common ports
	alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"EXFIL Non-TLS traffic on 443"; flow:to_server,established; content:!"\|16 03\|"; depth:2; classtype:protocol-command-decode; sid:1000031; rev:1;)
No results found