Views: 84
Here are some examples of Suricata rules that can be used to detect web application attacks:
1. SQL Injection:
alert http any any -> any any (msg:"SQL Injection Detected"; flow:established,to_server; content:"SELECT"; nocase; http_uri; pcre:"/(\%27)|(\')|(\-\-)|(\%23)|(#)/i"; classtype:web-application-attack; sid:100001;)
2. Cross-Site Scripting (XSS):
alert http any any -> any any (msg:"Cross-Site Scripting Detected"; flow:established,to_server; content:"<script>"; nocase; http_uri; classtype:web-application-attack; sid:100002;)
3. Remote File Inclusion (RFI):
alert http any any -> any any (msg:"Remote File Inclusion Detected"; flow:established,to_server; content:"php://input"; nocase; http_uri; classtype:web-application-attack; sid:100003;)
4. Local File Inclusion (LFI):
alert http any any -> any any (msg:"Local File Inclusion Detected"; flow:established,to_server; content:"../../../../../../../../"; nocase; http_uri; classtype:web-application-attack; sid:100004;)
5. Command Injection:
alert http any any -> any any (msg:"Command Injection Detected"; flow:established,to_server; content:"|"; http_uri; classtype:web-application-attack; sid:100005;)
6. Server-Side Request Forgery (SSRF):
alert http any any -> any any (msg:"Server-Side Request Forgery Detected"; flow:established,to_server; content:"127.0.0.1"; nocase; http_uri; classtype:web-application-attack; sid:100006;)
These are just a few examples, and you can modify or create additional rules based on specific requirements. Keep in mind that these rules are not exhaustive and may require customization based on the target application or environment.