From e3c5784dd53f1210a3abe26eb35143d8cc07d4c0 Mon Sep 17 00:00:00 2001 From: Pascal Delalande Date: Sat, 31 Mar 2018 18:20:16 +0200 Subject: [PATCH] doc: minor updates (tls custom, TODO removal, ftp/smb file rules) --- doc/userguide/configuration/global-thresholds.rst | 4 ++-- doc/userguide/output/eve/eve-json-format.rst | 4 ++-- doc/userguide/rules/payload-keywords.rst | 2 +- rules/files.rules | 9 +++++++++ 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/doc/userguide/configuration/global-thresholds.rst b/doc/userguide/configuration/global-thresholds.rst index 89203fea61..7ffbfaf9fd 100644 --- a/doc/userguide/configuration/global-thresholds.rst +++ b/doc/userguide/configuration/global-thresholds.rst @@ -202,9 +202,9 @@ Each of these will replace the threshold setting for 2002087 by the new threshold setting. **Note:** overriding all gids or sids (by using gen_id 0 or sig_id 0) -is not supported. Bug #425. +is not supported. Bug https://redmine.openinfosecfoundation.org/issues/425. Rate_filter ~~~~~~~~~~~ -TODO +see https://redmine.openinfosecfoundation.org/issues/425. diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index 41ff2ae2bc..86c0875a0d 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -381,8 +381,8 @@ If extended logging is enabled the following fields are also included: * "fingerprint": The (SHA1) fingerprint of the TLS certificate * "sni": The Server Name Indication (SNI) extension sent by the client * "version": The SSL/TLS version used -* "notbefore": The NotBefore field from the TLS certificate -* "notafter": The NotAfter field from the TLS certificate +* "not_before": The NotBefore field from the TLS certificate +* "not_after": The NotAfter field from the TLS certificate * "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes'). diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 1e71540254..0c1c927afa 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -157,7 +157,7 @@ The keywords offset and depth can be combined and are often used together. For example:: - content; “def”; offset:3; depth:3; + content:“def”; offset:3; depth:3; If this was used in a signature, it would check the payload from the third byte till the sixth byte. diff --git a/rules/files.rules b/rules/files.rules index 6dd628ec0a..a54556f160 100644 --- a/rules/files.rules +++ b/rules/files.rules @@ -50,3 +50,12 @@ #alert http any any -> any any (msg:"Black list checksum match and extract MD5"; filemd5:fileextraction-chksum.list; filestore; sid:28; rev:1;) #alert http any any -> any any (msg:"Black list checksum match and extract SHA1"; filesha1:fileextraction-chksum.list; filestore; sid:29; rev:1;) #alert http any any -> any any (msg:"Black list checksum match and extract SHA256"; filesha256:fileextraction-chksum.list; filestore; sid:30; rev:1;) + +# Alert and store files over FTP +#alert ftp-data any any -> any any (msg:"File Found within FTP and stored"; filestore; filename:"password"; ftpdata_command:stor; sid:31; rev:1;) + +# Alert and store files over SMB (with RUST activated) +#alert smb any any -> any any (msg:"File Found over SMB and stored"; filestore; sid:32; rev:1;) + +# Alert and store files over NFS (with RUST activated) +#alert nfs any any -> any any (msg:"File found within NFS and stored"; filestore; sid:33; rev:1;)