Created
November 3, 2025 19:43
-
-
Save williamzujkowski/fdd48db6a837ca02c00c79f7c4fd6cde to your computer and use it in GitHub Desktop.
Suricata Custom Detection Rules - Port scanning, DNS anomalies, C2 beaconing, and data exfiltration detection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Suricata Custom Detection Rules | |
| # Location: /etc/suricata/rules/custom-local.rules | |
| # Purpose: Custom rules for port scanning, DNS anomalies, C2, and exfiltration detection | |
| # ============================================================================ | |
| # Port Scan Detection | |
| # ============================================================================ | |
| # Detect Nmap SYN scan | |
| alert tcp any any -> $HOME_NET any (msg:"SCAN Nmap SYN scan detected"; flags:S,12; threshold: type threshold, track by_src, count 20, seconds 10; classtype:attempted-recon; sid:1000001; rev:1;) | |
| # Detect Masscan | |
| alert tcp any any -> $HOME_NET any (msg:"SCAN Masscan detected"; flow:to_server; flags:S,12; window:1024; threshold: type threshold, track by_src, count 50, seconds 5; classtype:attempted-recon; sid:1000002; rev:1;) | |
| # Detect UDP port scan | |
| alert udp any any -> $HOME_NET any (msg:"SCAN UDP port scan"; threshold: type threshold, track by_dst, count 100, seconds 10; classtype:attempted-recon; sid:1000003; rev:1;) | |
| # ============================================================================ | |
| # Malicious DNS Activity Detection | |
| # ============================================================================ | |
| # DNS tunneling detection | |
| alert dns any any -> any any (msg:"DNS Possible DNS Tunneling - High Entropy"; dns.query; content:"."; pcre:"/^[a-z0-9]{50,}/i"; classtype:trojan-activity; sid:1000010; rev:1;) | |
| # DGA domain detection | |
| alert dns any any -> any any (msg:"DNS Possible DGA Domain"; dns.query; pcre:"/^[a-z]{20,}\.com/i"; classtype:trojan-activity; sid:1000011; rev:1;) | |
| # DNS exfiltration - large TXT records | |
| alert dns any 53 -> $HOME_NET any (msg:"DNS Large TXT Record Response"; dns.query; dns.rrtype:TXT; byte_test:2,>,500,0,relative; classtype:policy-violation; sid:1000012; rev:1;) | |
| # ============================================================================ | |
| # Command & Control Traffic Detection | |
| # ============================================================================ | |
| # Suspicious beaconing behavior | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Possible Beaconing - Regular Intervals"; flow:to_server,established; threshold: type both, track by_src, count 10, seconds 300; classtype:trojan-activity; sid:1000020; rev:1;) | |
| # Detect Cobalt Strike default beacons | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Possible Cobalt Strike Beacon"; flow:established,to_server; content:"MZARUH"; fast_pattern; classtype:trojan-activity; sid:1000021; rev:1;) | |
| # Suspicious User-Agent strings | |
| alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"C2 Suspicious User-Agent"; flow:to_server,established; content:"User-Agent|3a 20|curl"; http_header; classtype:trojan-activity; sid:1000022; rev:1;) | |
| # ============================================================================ | |
| # Data Exfiltration Detection | |
| # ============================================================================ | |
| # Large file upload | |
| alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EXFIL Large POST Request"; flow:to_server,established; http.method; content:"POST"; byte_test:4,>,1000000,0,relative; classtype:policy-violation; sid:1000030; rev:1;) | |
| # Uncommon protocols on common ports | |
| alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"EXFIL Non-TLS traffic on 443"; flow:to_server,established; content:!"|16 03|"; depth:2; classtype:protocol-command-decode; sid:1000031; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment