SAMPLE RULES

#Alert on HTTP GET Requests
alert tcp any any -> any 80 (msg:"HTTP GET Request"; content:"GET"; sid:1000001; rev:1;)
 * Matches TCP traffic to port 80 containing "GET".
 
#Detect ICMP Echo Requests (Ping)
alert icmp any any -> any any (msg:"ICMP Ping Detected"; itype:8; sid:1000002; rev:1;)
 * Matches ICMP echo requests (type 8).

#Block SSH Traffic to a Specific Host
drop tcp any any -> 192.168.1.5 22 (msg:"SSH Connection Blocked"; sid:1000003; rev:1;)
 * Blocks all SSH traffic to IP 192.168.1.5 on port 22.

#Match DNS Queries
alert udp any any -> any 53 (msg:"DNS Query Detected"; content:"example.com"; sid:1000004; rev:1;)
 * Detects DNS queries for example.com.

PreviousRULE WRITING NextMAGIC NUMBERS

Last updated 4 months ago