不多说,直接上干货!
见suricata官网
https://suricata.readthedocs.io/en/latest/rules/index.html
一、Suricata的规则所放位置
下面,是我使用的SELKS里安装的Suricata默认自带规则。
见博客
Stamus Networks的产品SELKS(Suricata IDPS、Elasticsearch 、Logstash 、Kibana 和 Scirius )的下载和安装(带桌面版和不带桌面版)(图文详解)
root@SELKS:/etc/suricata/rules# ll total 12248 -rw-r--r-- 1 www-data www-data 1858 Jul 4 22:24 app-layer-events.rules -rw-rw-r-- 1 www-data www-data 1673 Jul 10 20:05 BSD-License.txt -rw-rw-r-- 1 www-data www-data 2638 Jul 10 20:05 classification.config -rw-rw-r-- 1 www-data www-data 17357 Jul 10 20:05 compromised-ips.txt -rw-r--r-- 1 www-data www-data 19598 Jul 4 22:24 decoder-events.rules -rw-r--r-- 1 www-data www-data 1221 Jul 4 22:24 dnp3-events.rules -rw-r--r-- 1 www-data www-data 1777 Jul 4 22:24 dns-events.rules -rw-rw-r-- 1 www-data www-data 3349 Jul 10 20:05 emerging.conf -rw-r--r-- 1 www-data www-data 3004 Jul 4 22:24 files.rules -rw-rw-r-- 1 www-data www-data 18273 Jul 10 20:05 gen-msg.map -rw-rw-r-- 1 www-data www-data 18092 Jul 10 20:05 gpl-2.0.txt -rw-r--r-- 1 www-data www-data 8637 Jul 4 22:24 http-events.rules -rw-rw-r-- 1 www-data www-data 2243 Jul 10 20:05 LICENSE -rw-r--r-- 1 www-data www-data 2078 Jul 4 22:24 modbus-events.rules -rw-r--r-- 1 www-data www-data 558 Jul 4 22:24 ntp-events.rules -rw-rw-r-- 1 www-data www-data 1377 Jul 10 20:05 reference.config -rw-r--r-- 1 www-data www-data 8764568 Jul 10 20:08 scirius.rules -rw-rw-r-- 1 www-data www-data 3468190 Jul 10 20:05 sid-msg.map -rw-r--r-- 1 www-data www-data 4939 Jul 4 22:24 smtp-events.rules -rw-r--r-- 1 www-data www-data 11879 Jul 4 22:24 stream-events.rules -rw-rw-r-- 1 www-data www-data 37450 Jul 10 20:05 suricata-1.3-etpro-etnamed.yaml -rw-rw-r-- 1 www-data www-data 0 Jul 10 20:05 suricata-1.3-open.txt -rw-rw-r-- 1 www-data www-data 37589 Jul 10 20:05 suricata-1.3-open.yaml -rw-r--r-- 1 www-data www-data 0 Jul 10 20:08 threshold.config -rw-r--r-- 1 www-data www-data 5217 Jul 4 22:24 tls-events.rules -rw-rw-r-- 1 www-data www-data 53841 Jul 10 20:05 unicode.map root@SELKS:/etc/suricata/rules#
下面,是我源码编译安装的Suricata默认自带规则。
见博客
基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)
[root@suricata rules]# pwd /etc/suricata/rules [root@suricata rules]# ls app-layer-events.rules emerging-activex.rules emerging-icmp.rules emerging-scada.rules emerging-web_server.rules smtp-events.rules botcc.portgrouped.rules emerging-attack_response.rules emerging-imap.rules emerging-scan.rules emerging-web_specific_apps.rules stream-events.rules botcc.rules emerging-chat.rules emerging-inappropriate.rules emerging-shellcode.rules emerging-worm.rules suricata-1.2-prior-open.yaml BSD-License.txt emerging.conf emerging-info.rules emerging-smtp.rules gen-msg.map suricata-1.3-enhanced-open.txt ciarmy.rules emerging-current_events.rules emerging-malware.rules emerging-snmp.rules gpl-2.0.txt suricata-1.3-etpro-etnamed.yaml classification.config emerging-deleted.rules emerging-misc.rules emerging-sql.rules http-events.rules suricata-1.3-open.yaml compromised-ips.txt emerging-dns.rules emerging-mobile_malware.rules emerging-telnet.rules LICENSE tor.rules compromised.rules emerging-dos.rules emerging-netbios.rules emerging-tftp.rules modbus-events.rules unicode.map decoder-events.rules emerging-exploit.rules emerging-p2p.rules emerging-trojan.rules rbn-malvertisers.rules dns-events.rules emerging-ftp.rules emerging-policy.rules emerging-user_agents.rules rbn.rules drop.rules emerging-games.rules emerging-pop3.rules emerging-voip.rules reference.config dshield.rules emerging-icmp_info.rules emerging-rpc.rules emerging-web_client.rules sid-msg.map [root@suricata rules]#
二、Suricata的自定义规则所放位置和书写(重点)
这里,为了规范,我们一般是将自定义的规则也同默认规则在一个目录下。
源码编译安装的Suricata,我这里写了个小例子,见
使用 Suricata 进行入侵监控(一个简单小例子访问百度)
我这里呢,重点使用的是SELKS里的Suricata。(重点)
root@SELKS:/etc/suricata/rules# pwd /etc/suricata/rules root@SELKS:/etc/suricata/rules# ll total 12252 -rw-r--r-- 1 www-data www-data 1858 Jul 4 22:24 app-layer-events.rules -rw-rw-r-- 1 www-data www-data 1673 Jul 10 20:05 BSD-License.txt -rw-rw-r-- 1 www-data www-data 2638 Jul 10 20:05 classification.config -rw-rw-r-- 1 www-data www-data 17357 Jul 10 20:05 compromised-ips.txt -rw-r--r-- 1 www-data www-data 19598 Jul 4 22:24 decoder-events.rules -rw-r--r-- 1 www-data www-data 1221 Jul 4 22:24 dnp3-events.rules -rw-r--r-- 1 www-data www-data 1777 Jul 4 22:24 dns-events.rules -rw-rw-r-- 1 www-data www-data 3349 Jul 10 20:05 emerging.conf -rw-r--r-- 1 www-data www-data 3004 Jul 4 22:24 files.rules -rw-rw-r-- 1 www-data www-data 18273 Jul 10 20:05 gen-msg.map -rw-rw-r-- 1 www-data www-data 18092 Jul 10 20:05 gpl-2.0.txt -rw-r--r-- 1 www-data www-data 8637 Jul 4 22:24 http-events.rules -rw-rw-r-- 1 www-data www-data 2243 Jul 10 20:05 LICENSE -rw-r--r-- 1 root root 253 Aug 17 17:37 local.rules -rw-r--r-- 1 www-data www-data 2078 Jul 4 22:24 modbus-events.rules -rw-r--r-- 1 www-data www-data 558 Jul 4 22:24 ntp-events.rules -rw-rw-r-- 1 www-data www-data 1377 Jul 10 20:05 reference.config -rw-r--r-- 1 www-data www-data 8764568 Jul 10 20:08 scirius.rules -rw-rw-r-- 1 www-data www-data 3468190 Jul 10 20:05 sid-msg.map -rw-r--r-- 1 www-data www-data 4939 Jul 4 22:24 smtp-events.rules -rw-r--r-- 1 www-data www-data 11879 Jul 4 22:24 stream-events.rules -rw-rw-r-- 1 www-data www-data 37450 Jul 10 20:05 suricata-1.3-etpro-etnamed.yaml -rw-rw-r-- 1 www-data www-data 0 Jul 10 20:05 suricata-1.3-open.txt -rw-rw-r-- 1 www-data www-data 37589 Jul 10 20:05 suricata-1.3-open.yaml -rw-r--r-- 1 www-data www-data 0 Jul 10 20:08 threshold.config -rw-r--r-- 1 www-data www-data 5217 Jul 4 22:24 tls-events.rules -rw-rw-r-- 1 www-data www-data 53841 Jul 10 20:05 unicode.map root@SELKS:/etc/suricata/rules#
下面,我将逐个进行解释。
1、 SELKS里的suricata的app-layer-events.rules(非常重要)
# App layer event rules # # SID's fall in the 2260000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation # # These sigs fire at most once per connection. # # A flowint applayer.anomaly.count is incremented for each match. By default it will be 0. # alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;) alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;) alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;) alert ip any any -> any any (msg:"SURICATA Applayer Protocol detection skipped"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;) # alert if STARTTLS was not followed by actual SSL/TLS alert tcp any any -> any any (msg:"SURICATA Applayer No TLS after STARTTLS"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260004; rev:2;) # unexpected protocol in protocol upgrade alert tcp any any -> any any (msg:"SURICATA Applayer Unexpected protocol"; flow:established; app-layer-event:applayer_unexpected_protocol; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260005; rev:1;) #next sid is 2260006
2、 SELKS里的suricata的 BSD-License.txt (非常重要)
#************************************************************* # Copyright (c) 2003-2014, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #*************************************************************
3、 SELKS里的suricata的 classification.config (非常重要)
# # config classification:shortname,short description,priority # #Traditional classifications. These will be replaced soon config classification: not-suspicious,Not Suspicious Traffic,3 config classification: unknown,Unknown Traffic,3 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,2 config classification: successful-recon-limited,Information Leak,2 config classification: successful-recon-largescale,Large Scale Information Leak,2 config classification: attempted-dos,Attempted Denial of Service,2 config classification: successful-dos,Denial of Service,2 config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable Code was Detected,1 config classification: string-detect,A Suspicious String was Detected,3 config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2 config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2 config classification: system-call-detect,A System Call was Detected,2 config classification: tcp-connection,A TCP Connection was Detected,4 config classification: trojan-activity,A Network Trojan was Detected, 1 config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
4、SELKS里的suricata的compromised-ips.txt (非常重要)
100.16.27.26 101.100.146.142 101.204.128.115 101.230.12.55 101.6.130.81 101.68.109.167 101.95.184.150 103.14.182.59 103.205.14.7 103.207.36.103 103.207.37.170 103.207.37.187 103.207.37.20 103.207.37.73 103.207.37.80 103.207.38.191 103.207.38.195 103.207.39.127 103.207.39.16 103.207.39.188 103.207.39.30 103.207.39.38 103.216.120.245 103.227.81.239 103.249.205.50 103.28.121.90 103.29.16.163 103.31.80.190 103.45.9.244 103.47.137.57 103.53.231.51 103.54.219.210 103.62.239.76 103.74.120.72 103.74.120.73 103.89.124.190 103.89.88.118 103.89.88.119 103.89.88.120 103.89.88.128 103.89.88.130 103.89.88.147 103.89.88.163 103.89.88.168 103.89.88.172 103.89.88.188 103.89.88.66 103.89.91.28 103.9.159.39 104.131.127.81 104.192.2.34 104.205.178.202 104.225.103.87 104.236.48.163 104.237.202.199 104.40.85.167 104.52.24.81 106.112.55.176 106.14.143.238 106.2.20.94 106.36.45.37 106.36.45.43 106.38.159.104 106.39.13.237 106.39.44.0 106.75.152.115 107.10.163.103 107.15.32.114 107.167.189.114 107.173.60.101 108.170.31.119 108.61.157.119 109.132.131.123 109.167.202.71 109.192.8.180 109.195.86.76 109.23.142.139 109.236.82.106 109.90.139.235 110.12.38.93 110.170.131.150 110.182.183.41 110.190.90.207 110.249.217.82 110.51.153.228 110.77.143.2 111.118.204.98 111.121.192.6 111.144.112.36 111.183.102.97 111.204.101.254 111.217.148.102 111.246.121.202 111.73.45.39 112.101.161.63 112.101.167.29 112.104.100.106 112.104.32.32 112.119.236.159 112.120.148.181 112.193.245.64 112.193.247.154 112.216.232.227 112.216.44.115 112.218.76.12 112.25.212.208 112.254.199.190 112.72.98.210 112.90.72.70 113.122.147.60 113.122.35.107 113.122.49.237 113.122.7.181 113.13.186.32 113.135.193.217 113.16.204.156 113.162.109.135 113.186.220.228 113.190.2.38 113.22.109.221 113.23.75.66 113.240.250.144 113.252.218.224 113.5.255.22 113.62.127.254 113.96.134.2 114.113.126.3 114.113.150.181 114.199.67.92 114.241.70.201 114.245.104.205 114.252.208.77 114.32.139.3 114.84.3.17 114.99.241.22 115.114.142.210 115.124.127.209 115.171.31.159 115.230.90.25 115.233.220.100 115.68.24.156 115.73.57.123 115.85.82.90 115.95.160.87 116.100.100.139 116.104.63.185 116.111.226.194 116.115.217.6 116.228.114.206 116.228.132.254 116.228.205.125 116.236.218.66 116.36.229.93 1.164.123.2 1.164.128.251 116.54.193.37 116.62.135.243 116.8.5.182 116.88.115.98 117.0.198.87 117.172.232.12 117.21.210.214 117.240.14.98 117.27.136.49 117.4.26.238 118.131.109.51 118.140.120.26 118.144.127.206 118.151.209.235 118.163.193.82 118.175.21.170 118.189.205.197 118.216.167.18 1.182.168.130 118.217.181.8 1.182.224.153 118.97.55.250 119.163.193.23 119.165.33.24 119.176.42.69 119.185.200.120 119.193.140.157 119.193.140.216 119.207.21.229 119.23.236.141 119.23.255.43 119.254.146.86 119.27.36.79 119.29.234.179 119.29.248.124 119.29.59.125 119.31.210.68 119.36.212.26 119.44.217.222 119.61.27.244 119.74.39.39 119.81.208.88 119.82.68.254 119.95.61.69 120.210.193.101 1.202.187.81 1.202.187.82 120.236.232.18 120.52.120.193 120.52.179.95 120.92.43.223 120.92.76.234 120.92.79.81 120.92.89.63 120.92.93.181 121.141.169.112 121.143.236.90 121.14.7.244 121.148.151.227 121.148.151.230 121.157.84.171 121.160.248.210 121.194.2.247 121.194.2.251 121.194.2.252 121.201.78.13 1.212.241.37 122.112.216.210 122.112.221.12 122.112.225.205 122.114.35.226 122.156.234.148 122.160.88.127 122.224.144.131 122.224.144.133 122.226.68.146 122.55.48.35 1.226.131.20 123.114.35.124 123.119.171.87 123.150.103.3 123.150.108.253 123.158.91.190 123.16.150.39 123.166.29.86 123.168.101.173 123.169.197.127 123.169.198.185 123.169.216.22 123.169.230.16 123.207.219.54 123.207.9.150 123.235.154.212 123.249.4.86 124.127.110.135 124.13.235.12 124.160.103.92 124.18.92.170 124.193.236.138 124.205.190.173 124.207.144.181 124.237.78.183 124.243.216.102 124.6.224.23 124.89.48.33 125.131.127.45 125.132.230.113 125.147.33.73 125.209.165.183 125.212.253.46 125.227.185.1 125.24.65.152 125.253.123.137 125.253.123.140 125.34.78.210 126.24.181.207 126.85.40.39 128.199.66.191 129.232.252.140 130.211.229.196 130.91.248.238 131.100.205.26 1.32.113.71 132.248.141.236 134.249.19.226 137.111.92.27 137.135.46.74 137.74.114.225 137.74.47.82 137.99.1.209 138.197.100.132 138.197.34.203 138.197.83.17 138.36.22.14 138.68.49.247 139.159.220.147 139.159.236.242 139.198.189.26 139.199.178.38 139.201.164.118 139.208.185.163 139.217.1.157 139.219.108.38 139.219.195.206 139.219.196.11 139.219.227.153 139.219.235.54 13.93.151.203 13.94.154.107 139.59.231.14 140.119.170.163 140.250.96.11 140.250.99.110 140.255.75.45 14.153.196.30 14.162.54.218 14.169.27.142 14.175.16.207 14.186.237.216 14.190.134.17 142.0.39.185 143.239.87.19 144.217.201.226 144.76.38.71 145.132.52.248 14.55.206.77 148.251.250.75 149.202.65.164 149.56.109.232 150.244.82.44 151.80.149.14 151.80.42.176 152.101.90.161 152.204.13.242 152.204.21.180 153.122.66.77 153.37.150.197 153.99.185.99 154.0.162.41 1.54.189.78 154.66.40.91 155.133.82.12 155.4.119.5 155.4.186.213 155.4.255.138 157.0.78.2 157.119.184.66 157.7.243.224 159.224.62.130 159.8.107.23 160.16.93.205 160.238.104.2 161.105.179.2 161.202.16.71 162.157.248.168 162.208.50.18 162.254.148.49 163.172.113.171 163.172.130.189 163.172.132.168 163.172.146.104 163.172.164.45 163.172.166.56 163.172.176.183 163.172.204.238 163.172.226.199 163.172.227.51 164.132.194.50 164.160.28.133 166.62.122.86 167.205.108.156 167.61.87.250 168.144.9.15 168.195.182.25 169.38.70.148 170.210.5.57 170.80.33.24 171.212.142.0 171.212.143.29 171.214.178.58 171.231.152.124 171.234.230.135 171.244.18.197 173.193.189.206 173.199.124.23 173.212.218.230 173.212.219.234 173.212.230.79 173.233.59.68 173.244.207.14 173.61.183.188 175.101.12.123 175.137.191.97 175.140.199.193 175.156.164.162 175.210.26.232 175.45.85.70 176.104.176.150 176.119.63.71 176.37.206.64 176.53.86.110 176.74.154.44 176.8.88.176 176.8.88.35 176.9.99.131 177.103.173.122 177.124.247.194 177.130.63.102 177.135.210.130 177.136.40.50 177.23.58.55 177.39.209.11 177.55.191.60 177.55.98.244 177.82.80.9 178.132.216.166 178.132.219.203 178.140.247.238 178.150.0.231 178.157.80.138 178.166.26.215 178.211.55.56 178.213.174.220 178.251.228.77 178.33.167.144 178.57.81.210 178.66.117.238 178.71.217.105 179.107.107.123 179.125.52.114 179.184.37.124 179.35.32.13 180.150.176.70 180.150.5.202 180.151.56.246 180.164.158.184 180.164.38.174 180.183.245.182 180.218.142.20 180.76.160.239 180.97.69.63 181.209.194.181 181.21.10.185 181.223.168.212 182.150.27.203 182.18.61.151 182.18.76.248 182.18.77.199 182.23.28.250 182.23.66.165 182.23.66.166 182.23.66.167 182.23.66.168 182.23.66.170 182.23.66.171 182.243.91.32 182.33.211.130 182.37.90.234 182.61.39.158 182.86.189.237 182.93.77.124 183.129.170.182 183.131.180.83 183.136.132.23 183.140.251.251 183.151.176.168 183.152.90.44 183.240.8.11 183.250.89.39 184.154.43.242 184.62.8.235 185.100.222.110 185.13.202.222 185.141.26.245 185.165.29.111 185.165.29.112 185.165.29.26 185.165.29.38 185.165.29.41 185.165.29.46 185.165.29.50 185.165.29.67 185.165.29.69 185.165.29.76 185.165.29.84 185.177.23.111 185.188.6.128 185.198.56.26 185.206.147.45 185.2.100.72 185.26.147.162 185.29.11.214 185.30.232.10 185.40.31.134 185.92.221.2 186.121.240.62 186.18.14.160 186.203.237.176 186.237.128.194 186.24.37.179 186.58.141.52 187.115.165.204 187.141.143.180 187.18.116.47 187.20.255.169 187.210.228.6 187.33.2.56 188.132.244.89 188.171.12.51 188.171.3.105 188.194.29.193 188.19.56.25 188.212.103.10 188.213.166.191 188.94.241.5 189.16.207.227 189.200.76.241 189.254.234.244 189.4.22.196 189.43.82.194 189.59.220.74 189.89.73.26 190.102.140.100 190.128.255.62 190.15.206.203 190.156.238.131 190.166.159.211 190.17.241.165 190.185.128.228 190.205.54.150 190.210.1.169 190.215.97.65 190.219.110.45 190.25.228.170 190.90.191.18 190.90.191.20 191.103.251.1 191.232.252.181 191.253.110.165 191.7.218.98 191.98.220.10 192.186.133.90 192.187.114.122 192.241.135.35 193.105.134.187 193.151.197.110 193.164.108.28 193.194.69.155 193.58.196.146 1.93.64.252 194.122.166.86 194.132.238.207 194.28.115.112 194.85.90.167 195.14.163.214 195.146.59.167 195.154.102.207 195.154.200.88 195.154.39.188 195.154.48.85 195.154.51.223 195.154.57.131 195.154.59.73 195.158.12.77 195.207.179.90 195.223.245.106 195.242.80.68 195.25.17.198 195.3.147.132 195.3.147.133 195.87.93.143 195.94.212.90 196.24.44.21 197.14.54.201 197.245.234.118 198.167.140.39 198.175.126.128 198.23.161.126 198.244.107.112 198.61.190.203 199.180.133.135 200.105.195.186 200.107.156.229 200.110.172.2 200.111.164.27 200.150.207.82 200.195.139.102 200.206.177.135 200.2.127.242 200.246.136.193 200.57.73.170 200.71.34.59 201.130.203.232 201.16.140.128 201.16.140.73 201.20.73.3 201.217.142.186 201.76.129.116 202.100.182.250 202.107.104.119 202.112.23.245 202.114.159.186 202.120.32.226 202.168.151.118 202.169.44.69 202.201.255.200 202.58.104.46 202.70.34.27 202.71.25.248 202.73.98.66 202.83.111.94 202.85.212.231 203.112.149.73 203.122.27.186 203.142.65.20 203.145.171.58 203.146.107.42 203.185.22.28 203.19.35.67 203.205.40.11 203.205.40.15 203.223.143.116 203.253.207.72 203.35.91.97 204.44.81.206 206.221.188.106 208.52.168.215 209.124.225.135 209.133.208.103 209.190.64.57 210.12.110.7 210.14.152.58 210.18.5.67 210.209.68.130 210.211.100.187 210.212.210.86 210.38.136.92 210.42.72.158 210.72.24.15 210.73.195.79 210.94.133.40 211.110.184.231 211.149.209.32 211.157.114.92 211.228.102.83 211.72.254.202 211.81.48.246 211.88.76.174 211.95.17.4 211.98.64.174 211.98.64.176 211.99.191.106 212.112.41.201 212.129.13.110 212.129.24.71 212.129.27.112 212.129.37.229 212.129.56.220 212.129.61.39 212.147.119.2 212.156.72.102 212.237.21.208 212.237.25.50 212.237.2.97 212.237.38.113 212.237.53.179 212.237.53.247 212.237.54.30 212.237.60.77 212.237.8.216 212.251.54.10 212.47.241.246 212.47.254.117 212.83.142.45 212.86.120.100 213.112.202.186 213.136.65.5 213.136.73.49 213.14.64.98 213.151.96.2 213.167.35.219 213.229.73.111 216.165.71.227 216.198.226.109 216.241.87.179 216.243.62.206 216.41.104.45 216.55.176.225 217.182.205.118 217.182.252.161 217.182.69.217 217.182.73.91 217.182.79.218 217.182.94.32 217.23.13.51 217.61.20.159 217.61.2.24 217.61.6.27 217.72.49.24 217.92.20.95 218.104.144.250 218.108.6.186 218.109.3.220 218.16.209.182 218.240.43.26 218.247.171.20 218.249.154.130 218.61.208.160 218.63.248.173 218.88.177.151 218.88.236.249 218.91.232.26 219.128.72.130 219.129.216.133 219.141.189.4 219.141.189.41 219.141.189.57 219.152.27.1 219.216.72.139 219.217.90.222 219.217.90.224 219.84.169.97 219.92.16.253 220.130.104.108 220.132.66.88 220.134.115.11 220.247.201.40 220.72.81.117 220.89.8.131 221.167.253.208 221.195.48.116 221.203.75.210 221.204.48.155 221.215.160.138 221.229.166.44 221.229.166.74 221.7.177.36 222.117.96.6 222.124.175.86 222.161.20.182 222.161.211.18 222.179.189.206 222.186.169.212 222.186.169.234 222.186.169.235 222.196.36.11 222.252.124.15 222.47.26.138 222.47.26.139 222.47.26.140 222.54.132.162 222.88.213.214 223.100.3.209 223.16.203.95 223.166.207.144 223.18.205.191 223.202.57.237 223.68.8.160 223.84.204.10 223.87.10.205 223.99.167.27 23.225.207.210 23.233.116.163 23.235.161.41 2.32.82.130 24.145.70.60 24.180.131.65 24.202.112.126 24.21.167.65 24.4.27.91 24.5.154.198 24.93.199.243 27.102.66.189 27.115.36.78 27.122.190.83 27.125.145.80 27.132.120.160 27.191.224.130 27.254.63.96 27.50.23.147 31.131.19.111 31.14.128.160 31.169.80.239 31.201.59.186 31.207.47.63 31.221.7.90 34.208.141.173 34.226.202.79 34.252.62.166 34.253.172.174 35.154.166.1 35.160.161.108 35.161.227.4 35.184.143.12 35.196.13.66 36.107.239.163 36.231.31.72 36.234.215.5 36.250.77.36 36.32.128.97 36.49.86.82 36.66.242.91 36.81.203.227 37.114.62.70 37.120.168.194 37.120.169.222 37.187.109.46 37.200.63.88 37.204.121.150 37.222.150.238 37.229.178.24 37.233.101.211 37.49.224.100 37.49.224.115 37.49.224.194 37.52.29.2 38.130.227.70 39.118.158.229 40.69.44.170 40.83.144.161 40.83.145.134 40.83.15.249 41.160.117.170 41.193.67.67 41.33.25.54 42.103.110.93 42.103.96.94 42.112.161.5 42.115.168.174 42.115.168.176 42.115.169.244 42.115.237.85 42.117.120.43 42.117.13.194 42.159.205.6 42.159.251.248 42.202.140.221 42.236.73.149 42.236.73.151 42.87.12.149 43.240.117.234 45.32.120.14 45.32.120.8 45.32.17.241 45.32.68.8 45.32.80.163 45.32.80.174 45.55.200.114 45.56.39.191 45.63.41.172 45.76.130.158 45.76.180.51 45.76.32.127 45.76.38.65 45.77.29.192 45.77.30.134 45.77.68.12 45.77.75.92 46.101.171.182 46.118.179.59 46.139.206.243 46.140.157.157 46.146.223.66 46.166.185.33 46.183.222.167 46.189.228.170 46.228.192.158 46.228.192.200 46.242.28.239 46.246.36.45 46.246.45.145 46.38.248.155 46.44.234.78 46.59.14.223 46.61.132.15 4.71.171.180 47.74.0.40 47.92.101.157 47.92.136.153 47.93.193.200 49.143.252.40 49.231.238.218 50.115.165.160 50.199.55.109 50.200.99.19 50.235.200.138 50.63.167.21 5.101.40.10 51.15.131.72 51.15.140.183 51.15.140.54 51.15.143.76 51.15.45.206 51.15.49.172 51.15.55.67 51.15.59.93 51.15.69.161 51.15.69.204 51.15.70.155 51.15.74.36 51.254.126.89 5.141.219.63 5.141.98.150 5.172.111.125 5.175.40.188 5.1.81.165 5.187.245.239 52.10.188.3 52.164.208.219 52.166.76.165 52.168.166.245 52.172.209.6 52.173.143.114 52.174.36.99 52.178.134.151 52.178.45.144 52.179.17.135 52.203.74.121 52.229.119.21 52.231.201.37 52.237.246.189 52.242.35.99 5.230.131.185 5.249.150.189 52.58.184.59 52.58.71.63 52.66.7.114 54.166.187.96 54.171.155.0 54.215.184.159 54.237.199.84 54.88.207.172 54.93.60.87 58.101.149.217 58.187.173.199 58.187.199.38 58.213.99.251 58.216.51.73 58.218.200.5 58.240.202.16 58.240.26.2 58.240.52.76 58.247.246.36 58.42.228.170 58.55.127.254 59.111.92.32 59.115.120.165 59.127.229.12 59.41.103.97 59.45.142.199 59.49.111.146 59.53.67.84 59.57.13.165 59.63.161.252 60.12.229.225 60.174.195.41 60.190.226.162 60.216.75.138 60.253.214.115 60.255.146.182 60.28.235.147 60.5.255.112 61.144.105.236 61.158.120.253 61.159.182.140 61.161.182.158 61.163.32.197 61.180.33.102 61.183.52.39 61.185.27.34 61.216.145.154 61.222.152.156 61.234.156.69 61.51.192.243 61.72.97.52 61.79.81.73 61.85.7.206 62.112.9.25 62.146.13.85 62.163.155.31 62.168.44.238 62.210.169.42 62.210.211.212 62.210.24.141 62.210.24.142 62.210.247.81 62.210.48.192 62.210.48.193 62.210.48.196 62.232.121.238 62.233.149.138 62.75.210.207 64.244.204.50 64.55.104.2 65.52.181.50 66.113.15.230 66.210.180.50 66.31.24.189 67.137.119.10 67.189.16.174 67.204.212.159 67.207.94.17 67.210.105.196 67.8.107.41 68.102.147.186 68.118.181.247 69.159.244.95 69.162.73.83 69.249.103.229 69.4.91.92 69.61.125.189 69.70.245.30 71.42.243.226 72.2.170.24 72.248.114.133 73.115.68.110 73.130.68.239 73.168.47.138 73.203.31.15 73.207.128.189 73.217.158.187 73.29.49.121 74.118.114.202 74.208.202.74 74.208.47.253 74.222.20.43 74.74.132.156 75.146.136.114 75.185.32.119 76.110.252.120 76.12.191.22 77.107.237.51 77.166.11.186 77.174.233.198 77.222.139.15 77.222.155.252 77.243.188.150 77.244.211.2 77.34.115.49 77.34.132.210 77.53.124.27 77.72.82.171 77.72.82.187 77.81.225.108 77.81.225.18 77.81.225.37 77.81.225.9 77.81.226.120 78.111.124.240 78.111.2.25 78.187.47.157 78.192.107.9 78.233.101.180 78.40.108.231 78.58.187.40 79.1.210.39 79.137.0.35 79.137.86.3 79.142.66.169 79.171.75.25 79.174.32.164 79.7.209.216 79.98.155.170 80.112.141.195 80.11.28.118 80.195.199.74 80.241.38.36 80.55.15.30 80.56.46.52 80.59.61.107 80.82.64.21 80.82.77.46 81.136.157.167 81.136.189.195 81.138.11.109 81.138.86.225 81.142.80.97 81.142.98.129 81.149.154.58 81.149.211.134 81.171.53.7 81.171.58.111 81.174.255.65 81.184.253.49 81.196.221.96 82.10.59.165 82.216.39.35 82.225.6.33 82.253.111.241 82.69.94.219 82.74.122.154 82.81.139.73 83.121.255.250 83.233.5.167 83.234.168.65 83.255.117.130 83.52.18.255 84.10.18.150 84.198.184.38 84.216.211.76 85.114.132.32 85.150.101.113 85.150.79.226 85.184.149.94 85.194.166.198 85.195.42.225 85.195.48.240 85.214.116.182 85.222.46.201 85.232.156.4 85.92.220.96 86.100.68.209 86.171.57.227 86.205.119.160 86.57.164.109 86.57.168.86 86.97.49.101 87.81.240.178 87.98.185.8 88.103.112.229 88.159.153.152 88.177.168.133 88.177.205.141 88.186.249.54 88.188.177.186 88.190.183.18 88.190.235.84 88.198.65.205 88.215.4.114 88.87.20.126 88.99.133.232 88.99.3.195 88.99.39.105 89.163.209.162 89.163.255.165 89.218.73.54 89.239.149.7 89.248.160.2 89.34.237.72 89.36.211.8 89.40.70.128 89.46.196.206 91.102.225.109 91.112.18.170 91.120.21.57 91.134.133.251 91.134.177.237 91.160.90.59 91.161.102.62 91.195.103.171 91.197.232.109 91.197.232.15 91.200.12.1 91.200.205.119 91.218.105.28 91.218.114.137 91.225.78.26 91.236.116.245 91.236.116.75 91.236.116.78 91.73.236.133 92.100.166.228 92.100.211.180 92.207.194.177 92.222.216.160 92.222.74.167 92.27.4.189 92.43.113.177 92.45.30.225 93.114.42.188 93.152.165.147 93.174.89.103 93.176.213.222 93.186.245.104 93.186.245.119 93.186.245.160 93.186.245.241 93.187.16.70 93.61.95.172 93.63.247.0 93.63.4.77 93.76.199.84 93.85.82.92 94.125.120.23 94.156.20.219 94.158.166.207 94.177.167.240 94.177.180.80 94.177.189.75 94.177.197.113 94.177.205.214 94.177.205.52 94.177.205.87 94.177.206.227 94.177.206.46 94.177.217.113 94.177.217.184 94.180.250.74 94.188.164.58 94.210.83.227 94.23.216.99 94.29.109.131 94.74.81.27 94.99.138.196 95.110.174.19 95.110.174.43 95.110.174.52 95.110.186.242 95.123.201.228 95.123.84.219 95.138.190.191 95.211.209.213 95.30.227.173 95.55.108.201 95.67.46.46 95.9.109.6 96.239.59.131 96.57.82.166 96.88.170.121 98.126.20.18 99.225.59.47
5、SELKS里的suricata的decoder-events.rules (非常重要)
# Decoder event signatures for Suricata. # SID's fall in the 2200000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation alert pkthdr any any -> any any (msg:"SURICATA IPv4 packet too small"; decode-event:ipv4.pkt_too_small; classtype:protocol-command-decode; sid:2200000; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 header size too small"; decode-event:ipv4.hlen_too_small; classtype:protocol-command-decode; sid:2200001; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 total length smaller than header size"; decode-event:ipv4.iplen_smaller_than_hlen; classtype:protocol-command-decode; sid:2200002; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 truncated packet"; decode-event:ipv4.trunc_pkt; classtype:protocol-command-decode; sid:2200003; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option"; decode-event:ipv4.opt_invalid; classtype:protocol-command-decode; sid:2200004; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 malformed option"; decode-event:ipv4.opt_malformed; classtype:protocol-command-decode; sid:2200006; rev:2;) #alert pkthdr any any -> any any (msg:"SURICATA IPv4 padding required "; decode-event:ipv4.opt_pad_required; classtype:protocol-command-decode; sid:2200007; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 with ICMPv6 header"; decode-event:ipv4.icmpv6; classtype:protocol-command-decode; sid:2200092; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 option end of list required"; decode-event:ipv4.opt_eol_required; classtype:protocol-command-decode; sid:2200008; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 duplicated IP option"; decode-event:ipv4.opt_duplicate; classtype:protocol-command-decode; sid:2200009; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 unknown IP option"; decode-event:ipv4.opt_unknown; classtype:protocol-command-decode; sid:2200010; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4 wrong IP version"; decode-event:ipv4.wrong_ip_version; classtype:protocol-command-decode; sid:2200011; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 packet too small"; decode-event:ipv6.pkt_too_small; classtype:protocol-command-decode; sid:2200012; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated packet"; decode-event:ipv6.trunc_pkt; classtype:protocol-command-decode; sid:2200013; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Routing extension header"; decode-event:ipv6.exthdr_dupl_rh; classtype:protocol-command-decode; sid:2200016; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; decode-event:ipv6.exthdr_dupl_hh; classtype:protocol-command-decode; sid:2200017; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; classtype:protocol-command-decode; sid:2200018; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Authentication Header extension header"; decode-event:ipv6.exthdr_dupl_ah; classtype:protocol-command-decode; sid:2200019; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicate ESP extension header"; decode-event:ipv6.exthdr_dupl_eh; classtype:protocol-command-decode; sid:2200020; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 invalid option lenght in header"; decode-event:ipv6.exthdr_invalid_optlen; classtype:protocol-command-decode; sid:2200021; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6 wrong IP version"; decode-event:ipv6.wrong_ip_version; classtype:protocol-command-decode; sid:2200022; rev:2;) # RFC 4302 states the reserved field should be 0. alert pkthdr any any -> any any (msg:"SURICATA IPv6 AH reserved field not 0"; decode-event:ipv6.exthdr_ah_res_not_null; classtype:protocol-command-decode; sid:2200081; rev:2;) # HOP option that we don't understand alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS unknown option"; decode-event:ipv6.hopopts_unknown_opt; classtype:protocol-command-decode; sid:2200086; rev:2;) # HOP header with only padding, covert channel? alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS only padding"; decode-event:ipv6.hopopts_only_padding; classtype:protocol-command-decode; sid:2200087; rev:2;) # DST option that we don't understand alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS unknown option"; decode-event:ipv6.dstopts_unknown_opt; classtype:protocol-command-decode; sid:2200088; rev:2;) # DST header with only padding, covert channel? alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; classtype:protocol-command-decode; sid:2200089; rev:2;) # Type 0 Routing header deprecated per RFC 5095 alert ipv6 any any -> any any (msg:"SURICATA RH Type 0"; decode-event:ipv6.rh_type_0; classtype:protocol-command-decode; sid:2200093; rev:2;) # padN option with zero length field alert ipv6 any any -> any any (msg:"SURICATA zero length padN option"; decode-event:ipv6.zero_len_padn; classtype:protocol-command-decode; sid:2200094; rev:2;) # Frag Header 'length' field is reserved and should be 0 alert ipv6 any any -> any any (msg:"SURICATA reserved field in Frag Header not zero"; decode-event:ipv6.fh_non_zero_reserved_field; classtype:protocol-command-decode; sid:2200095; rev:2;) # Data after the 'none' header (59) is suspicious. alert ipv6 any any -> any any (msg:"SURICATA data after none (59) header"; decode-event:ipv6.data_after_none_header; classtype:protocol-command-decode; sid:2200096; rev:2;) # unknown/unsupported next header / protocol. Valid protocols are not yet supported, so disabling by default #alert ipv6 any any -> any any (msg:"SURICATA unknown next header / protocol"; decode-event:ipv6.unknown_next_header; classtype:protocol-command-decode; sid:2200097; rev:2;) alert ipv6 any any -> any any (msg:"SURICATA IPv6 with ICMPv4 header"; decode-event:ipv6.icmpv4; classtype:protocol-command-decode; sid:2200090; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small"; decode-event:icmpv4.pkt_too_small; classtype:protocol-command-decode; sid:2200023; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type"; decode-event:icmpv4.unknown_type; classtype:protocol-command-decode; sid:2200024; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; classtype:protocol-command-decode; sid:2200025; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet"; decode-event:icmpv4.ipv4_trunc_pkt; classtype:protocol-command-decode; sid:2200026; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version"; decode-event:icmpv4.ipv4_unknown_ver; classtype:protocol-command-decode; sid:2200027; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small"; decode-event:icmpv6.pkt_too_small; classtype:protocol-command-decode; sid:2200028; rev:2;) # uncomment the following sginature if you plan to update suricata code to support more ICMPv6 type #alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type"; decode-event:icmpv6.unknown_type; classtype:protocol-command-decode; sid:2200029; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code"; decode-event:icmpv6.unknown_code; classtype:protocol-command-decode; sid:2200030; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet"; decode-event:icmpv6.ipv6_trunc_pkt; classtype:protocol-command-decode; sid:2200031; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version"; decode-event:icmpv6.ipv6_unknown_version; classtype:protocol-command-decode; sid:2200032; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 MLD hop limit not 1"; decode-event:icmpv6.mld_message_with_invalid_hl; classtype:protocol-command-decode; sid:2200102; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unassigned type"; decode-event:icmpv6.unassigned_type; classtype:protocol-command-decode; sid:2200108; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 private experimentation type"; decode-event:icmpv6.experimentation_type; classtype:protocol-command-decode; sid:2200109; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small"; decode-event:tcp.pkt_too_small; classtype:protocol-command-decode; sid:2200033; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small"; decode-event:tcp.hlen_too_small; classtype:protocol-command-decode; sid:2200034; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length"; decode-event:tcp.invalid_optlen; classtype:protocol-command-decode; sid:2200035; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA TCP option invalid length"; decode-event:tcp.opt_invalid_len; classtype:protocol-command-decode; sid:2200036; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option"; decode-event:tcp.opt_duplicate; classtype:protocol-command-decode; sid:2200037; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA UDP packet too small"; decode-event:udp.pkt_too_small; classtype:protocol-command-decode; sid:2200038; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small"; decode-event:udp.hlen_too_small; classtype:protocol-command-decode; sid:2200039; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small"; decode-event:sll.pkt_too_small; classtype:protocol-command-decode; sid:2200041; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small"; decode-event:ethernet.pkt_too_small; classtype:protocol-command-decode; sid:2200042; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; decode-event:ppp.pkt_too_small; classtype:protocol-command-decode; sid:2200043; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPP VJU packet too small"; decode-event:ppp.vju_pkt_too_small; classtype:protocol-command-decode; sid:2200044; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPP IPv4 packet too small"; decode-event:ppp.ip4_pkt_too_small; classtype:protocol-command-decode; sid:2200045; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPP IPv6 too small"; decode-event:ppp.ip6_pkt_too_small; classtype:protocol-command-decode; sid:2200046; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPP wrong type"; decode-event:ppp.wrong_type; classtype:protocol-command-decode; sid:2200047; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPP unsupported protocol"; decode-event:ppp.unsup_proto; classtype:protocol-command-decode; sid:2200048; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small"; decode-event:pppoe.pkt_too_small; classtype:protocol-command-decode; sid:2200049; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPPOE wrong code"; decode-event:pppoe.wrong_code; classtype:protocol-command-decode; sid:2200050; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA PPPOE malformed tags"; decode-event:pppoe.malformed_tags; classtype:protocol-command-decode; sid:2200051; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE packet too small"; decode-event:gre.pkt_too_small; classtype:protocol-command-decode; sid:2200052; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE wrong version"; decode-event:gre.wrong_version; classtype:protocol-command-decode; sid:2200053; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v0 recursion control"; decode-event:gre.version0_recur; classtype:protocol-command-decode; sid:2200054; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v0 flags"; decode-event:gre.version0_flags; classtype:protocol-command-decode; sid:2200055; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v0 header too big"; decode-event:gre.version0_hdr_too_big; classtype:protocol-command-decode; sid:2200056; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 checksum present"; decode-event:gre.version1_chksum; classtype:protocol-command-decode; sid:2200057; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 routing present"; decode-event:gre.version1_route; classtype:protocol-command-decode; sid:2200058; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 strict source route"; decode-event:gre.version1_ssr; classtype:protocol-command-decode; sid:2200059; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 recursion control"; decode-event:gre.version1_recur; classtype:protocol-command-decode; sid:2200060; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 flags"; decode-event:gre.version1_flags; classtype:protocol-command-decode; sid:2200061; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 no key present"; decode-event:gre.version1_no_key; classtype:protocol-command-decode; sid:2200062; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 wrong protocol"; decode-event:gre.version1_wrong_protocol; classtype:protocol-command-decode; sid:2200063; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 malformed Source Route Entry header"; decode-event:gre.version1_malformed_sre_hdr; classtype:protocol-command-decode; sid:2200064; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA GRE v1 header too big"; decode-event:gre.version1_hdr_too_big; classtype:protocol-command-decode; sid:2200065; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA VLAN header too small "; decode-event:vlan.header_too_small; classtype:protocol-command-decode; sid:2200066; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA VLAN unknown type"; decode-event:vlan.unknown_type; classtype:protocol-command-decode; sid:2200067; rev:2;) # more than 2 vlan layers in the packet alert pkthdr any any -> any any (msg:"SURICATA VLAN too many layers"; decode-event:vlan.too_many_layers; classtype:protocol-command-decode; sid:2200091; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IP raw invalid IP version "; decode-event:ipraw.invalid_ip_version; classtype:protocol-command-decode; sid:2200068; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200069; rev:3;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; decode-event:ipv4.frag_overlap; classtype:protocol-command-decode; sid:2200070; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) # checksum rules alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;) alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:2200074; rev:2;) alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum"; udpv4-csum:invalid; classtype:protocol-command-decode; sid:2200075; rev:2;) alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; classtype:protocol-command-decode; sid:2200076; rev:2;) alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:invalid; classtype:protocol-command-decode; sid:2200077; rev:2;) alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; classtype:protocol-command-decode; sid:2200078; rev:2;) alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; classtype:protocol-command-decode; sid:2200079; rev:2;) # IPv4 in IPv6 rules alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 packet too short"; decode-event:ipv6.ipv4_in_ipv6_too_small; classtype:protocol-command-decode; sid:2200082; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; decode-event:ipv6.ipv4_in_ipv6_wrong_version; classtype:protocol-command-decode; sid:2200083; rev:2;) # IPv6 in IPv6 rules alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; classtype:protocol-command-decode; sid:2200084; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; classtype:protocol-command-decode; sid:2200085; rev:2;) # MPLS rules alert pkthdr any any -> any any (msg:"SURICATA MPLS header too small"; decode-event:mpls.header_too_small; classtype:protocol-command-decode; sid:2200111; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA MPLS bad router alert label"; decode-event:mpls.bad_label_router_alert; classtype:protocol-command-decode; sid:2200098; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA MPLS bad implicit null label"; decode-event:mpls.bad_label_implicit_null; classtype:protocol-command-decode; sid:2200099; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA MPLS reserved label"; decode-event:mpls.bad_label_reserved; classtype:protocol-command-decode; sid:2200100; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA MPLS unknown payload type"; decode-event:mpls.unknown_payload_type; classtype:protocol-command-decode; sid:2200101; rev:2;) # linktype null alert pkthdr any any -> any any (msg:"SURICATA NULL pkt too small"; decode-event:ltnull.pkt_too_small; classtype:protocol-command-decode; sid:2200103; rev:2;) # packet has type not supported by Suricata's decoders alert pkthdr any any -> any any (msg:"SURICATA NULL unsupported type"; decode-event:ltnull.unsupported_type; classtype:protocol-command-decode; sid:2200104; rev:2;) # ERSPAN alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-event:erspan.header_too_small; classtype:protocol-command-decode; sid:2200105; rev:2;) # packet has type not supported by Suricata's decoders alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; classtype:protocol-command-decode; sid:2200106; rev:2;) alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; classtype:protocol-command-decode; sid:2200107; rev:2;) # Cisco Fabric Path/DCE alert pkthdr any any -> any any (msg:"SURICATA DCE packet too small"; decode-event:dce.pkt_too_small; classtype:protocol-command-decode; sid:2200110; rev:2;) # next sid is 2200112
6、SELKS里的suricata的dnp3-events.rules(非常重要)
# DNP3 application decoder event rules. # # This SIDs fall in the 2270000+ range. See: # http://doc.emergingthreats.net/bin/view/Main/SidAllocation # Flooded. alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) # Length to small for PDU type. For example, link specifies the type # as user data, but the length field is not large enough for user # data. alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small"; app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) # Bad link layer CRC. alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC"; app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) # Bad transport layer CRC. alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC"; app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) # Unknown object. alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)
7、SELKS里的suricata的dns-events.rules(非常重要)
# Response (answer) we didn't see a Request for. Could be packet loss. alert dns any any -> any any (msg:"SURICATA DNS Unsolicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; classtype:protocol-command-decode; sid:2240001; rev:2;) # Malformed data in request. Malformed means length fields are wrong, etc. alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;) alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;) # Response flag set on to_server packet alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;) # Response flag not set on to_client packet alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;) # Z flag (reserved) not 0 alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;) # Request Flood Detected alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; classtype:protocol-command-decode; sid:2240007; rev:2;) # Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting. alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; classtype:protocol-command-decode; sid:2240008; rev:3;)
8、SELKS里的suricata的emerging.conf(非常重要)
# # Emerging Threats Configuration Include # # This file is intended to be added to your snort.conf as an include. # The intention is to make sure that any specific variables and the # like are included in your instance of snort. # # Add a line like this to your snort.conf, or just use this file to # decide which variables to add to your own snort.conf: # # include $RULE_PATH/emerging.conf # # This file is valid for both Emerging Threats open and ET Pro rulesets # # # More information available at www.emergingthreats.net or # www.emergingthreatspro.com # # ############################################################################## # This var is required for several sigs in the POLICY ruleset. It is plural because you can do a range of ports #var SSH_PORTS 22 #These vars are required if you're using the Digitalbond Scada signatures in the scada.rules category #var DNP3_SERVER $HOME_NET #var DNP3_CLIENT $HOME_NET #var DNP3_PORTS 20000 #var MODBUS_CLIENT $HOME_NET #var MODBUS_SERVER $HOME_NET #var ENIP_CLIENT $HOME_NET #var ENIP_SERVER $HOME_NET #include $RULE_PATH/classification.config #include $RULE_PATH/reference.config #include $RULE_PATH/emerging-ftp.rules #include $RULE_PATH/emerging-policy.rules #include $RULE_PATH/emerging-trojan.rules #include $RULE_PATH/emerging-games.rules #include $RULE_PATH/emerging-pop3.rules #include $RULE_PATH/emerging-user_agents.rules ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules #include $RULE_PATH/emerging-attack_response.rules #include $RULE_PATH/emerging-icmp.rules #include $RULE_PATH/emerging-scan.rules #include $RULE_PATH/emerging-scada.rules #include $RULE_PATH/emerging-voip.rules #include $RULE_PATH/emerging-chat.rules ##include $RULE_PATH/emerging-icmp_info.rules ##include $RULE_PATH/emerging-shellcode.rules ##include $RULE_PATH/emerging-web_client.rules #include $RULE_PATH/emerging-imap.rules #include $RULE_PATH/emerging-web_server.rules #include $RULE_PATH/emerging-current_events.rules ##include $RULE_PATH/emerging-inappropriate.rules #include $RULE_PATH/emerging-smtp.rules ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules #include $RULE_PATH/emerging-malware.rules #include $RULE_PATH/emerging-snmp.rules #include $RULE_PATH/emerging-worm.rules #include $RULE_PATH/emerging-dns.rules #include $RULE_PATH/emerging-misc.rules #include $RULE_PATH/emerging-sql.rules #include $RULE_PATH/emerging-dos.rules #include $RULE_PATH/emerging-netbios.rules #include $RULE_PATH/emerging-telnet.rules #include $RULE_PATH/emerging-exploit.rules #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules #include $RULE_PATH/emerging-mobile_malware.rules #include $RULE_PATH/emerging-info.rules #include $RULE_PATH/emerging-botcc.rules #include $RULE_PATH/emerging-botcc-BLOCK.rules #include $RULE_PATH/emerging-compromised.rules #include $RULE_PATH/emerging-compromised-BLOCK.rules #include $RULE_PATH/emerging-drop.rules #include $RULE_PATH/emerging-drop-BLOCK.rules #include $RULE_PATH/emerging-dshield.rules #include $RULE_PATH/emerging-dshield-BLOCK.rules #include $RULE_PATH/emerging-tor.rules #include $RULE_PATH/emerging-tor-BLOCK.rules #include $RULE_PATH/emerging-ciarmy.rules
9、SELKS里的suricata的files.rules(非常重要)
# Example rules for using the file handling and extraction functionality in Suricata. # # For storing files make sure you enable the "file" output. # Also, make sure you read the comments that go with it in the suricata.yaml file. # Alert on files with jpg or bmp extensions #alert http any any -> any any (msg:"FILEEXT JPG file claimed"; fileext:"jpg"; sid:1; rev:1;) #alert http any any -> any any (msg:"FILEEXT BMP file claimed"; fileext:"bmp"; sid:3; rev:1;) # Store all files with jpg or pdf extension. #alert http any any -> any any (msg:"FILESTORE jpg"; flow:established,to_server; fileext:"jpg"; filestore; sid:6; rev:1;) #alert http any any -> any any (msg:"FILESTORE pdf"; flow:established,to_server; fileext:"pdf"; filestore; sid:8; rev:1;) # Store all PDF files, regardless of their name. #alert http any any -> any any (msg:"FILEMAGIC pdf"; flow:established,to_server; filemagic:"PDF document"; filestore; sid:9; rev:1;) # Same for JPEG's. #alert http any any -> any any (msg:"FILEMAGIC jpg(1)"; flow:established,to_server; filemagic:"JPEG image data"; filestore; sid:10; rev:1;) #alert http any any -> any any (msg:"FILEMAGIC jpg(2)"; flow:established,to_server; filemagic:"JFIF"; filestore; sid:11; rev:1;) # Unually short file #alert http any any -> any any (msg:"FILEMAGIC short"; flow:established,to_server; filemagic:"very short file (no magic)"; filestore; sid:12; rev:1;) # Simply store all files we encounter, no alerts. #alert http any any -> any any (msg:"FILE store all"; filestore; noalert; sid:15; rev:1;) # Store all JPG files, don't alert. #alert http any any -> any any (msg:"FILE magic"; filemagic:"JFIF"; filestore; noalert; sid:16; rev:1;) #alert http any any -> any any (msg:"FILE magic"; filemagic:"GIF"; filestore; noalert; sid:23; rev:1;) #alert http any any -> any any (msg:"FILE magic"; filemagic:"PNG"; filestore; noalert; sid:17; rev:1;) # Store all Windows executables #alert http any any -> any any (msg:"FILE magic -- windows"; flow:established,to_client; filemagic:"executable for MS Windows"; filestore; sid:18; rev:1;) # Alert on PNG with 1x1 pixels (tracking) #alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel) (1)"; filemagic:"PNG image data, 1 x 1,"; sid:19; rev:1;) #alert http any any -> any any (msg:"FILE tracking PNG (1x1 pixel) (2)"; filemagic:"PNG image data, 1 x 1|00|"; sid:20; rev:1;) # Alert on GIT with 1x1 pixels (tracking) # The pattern matches on |00| which is the end of the magic buffer, this way we won't match on 1 x 128. #alert http any any -> any any (msg:"FILE tracking GIF (1x1 pixel)"; filemagic:"GIF image data, version 89a, 1 x 1|00|"; sid:21; rev:1;) # Alert and store pdf attachment but not pdf file #alert http any any -> any any (msg:"FILE pdf claimed, but not pdf"; flow:established,to_client; fileext:"pdf"; filemagic:!"PDF document"; filestore; sid:22; rev:1;) # Alert and store files over SMTP #alert smtp any any -> any any (msg:"File Found over SMTP and stored"; filestore; sid:27; rev:1;)
10、SELKS里的suricata的gen-msg.map(非常重要)
# $Id: gen-msg.map,v 1.8 2010/04/15 19:55:13 mwatchinski Exp $ # GENERATORS -> msg map # Format: generatorid || alertid || MSG 1 || 1 || snort general alert 2 || 1 || tag: Tagged Packet 3 || 1 || snort dynamic alert 100 || 1 || spp_portscan: Portscan Detected 100 || 2 || spp_portscan: Portscan Status 100 || 3 || spp_portscan: Portscan Ended 101 || 1 || spp_minfrag: minfrag alert 102 || 1 || http_decode: Unicode Attack 102 || 2 || http_decode: CGI NULL Byte Attack 102 || 3 || http_decode: large method attempted 102 || 4 || http_decode: missing uri 102 || 5 || http_decode: double encoding detected 102 || 6 || http_decode: illegal hex values detected 102 || 7 || http_decode: overlong character detected 103 || 1 || spp_defrag: Fragmentation Overflow Detected 103 || 2 || spp_defrag: Stale Fragments Discarded 104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded 104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted 105 || 1 || spp_bo: Back Orifice Traffic Detected 105 || 2 || spp_bo: Back Orifice Client Traffic Detected 105 || 3 || spp_bo: Back Orifice Server Traffic Detected 105 || 4 || spp_bo: Back Orifice Snort Buffer Attack 106 || 1 || spp_rpc_decode: Fragmented RPC Records 106 || 2 || spp_rpc_decode: Multiple Records in one packet 106 || 3 || spp_rpc_decode: Large RPC Record Fragment 106 || 4 || spp_rpc_decode: Incomplete RPC segment 106 || 5 || spp_rpc_decode: Zero-length RPC Fragment 110 || 1 || spp_unidecode: CGI NULL Attack 110 || 2 || spp_unidecode: Directory Traversal 110 || 3 || spp_unidecode: Unknown Mapping 110 || 4 || spp_unidecode: Invalid Mapping 111 || 1 || spp_stream4: Stealth Activity Detected 111 || 2 || spp_stream4: Evasive Reset Packet 111 || 3 || spp_stream4: Retransmission 111 || 4 || spp_stream4: Window Violation 111 || 5 || spp_stream4: Data on SYN Packet 111 || 6 || spp_stream4: Full XMAS Stealth Scan 111 || 7 || spp_stream4: SAPU Stealth Scan 111 || 8 || spp_stream4: FIN Stealth Scan 111 || 9 || spp_stream4: NULL Stealth Scan 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan 111 || 11 || spp_stream4: VECNA Stealth Scan 111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection 111 || 13 || spp_stream4: SYN FIN Stealth Scan 111 || 14 || spp_stream4: TCP forward overlap detected 111 || 15 || spp_stream4: TTL Evasion attempt 111 || 16 || spp_stream4: Evasive retransmitted data attempt 111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt 111 || 18 || spp_stream4: Multiple acked 111 || 19 || spp_stream4: Shifting to Emergency Session Mode 111 || 20 || spp_stream4: Shifting to Suspend Mode 111 || 21 || spp_stream4: TCP Timestamp option has value of zero 111 || 22 || spp_stream4: Too many overlapping TCP packets 111 || 23 || spp_stream4: Packet in established TCP stream missing ACK 111 || 24 || spp_stream4: Evasive FIN Packet 111 || 25 || spp_stream4: SYN on established 112 || 1 || spp_arpspoof: Directed ARP Request 112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC 112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST 112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack 113 || 1 || spp_frag2: Oversized Frag 113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack 113 || 3 || spp_frag2: TTL evasion detected 113 || 4 || spp_frag2: overlap detected 113 || 5 || spp_frag2: Duplicate first fragments 113 || 6 || spp_frag2: memcap exceeded 113 || 7 || spp_frag2: Out of order fragments 113 || 8 || spp_frag2: IP Options on Fragmented Packet 113 || 9 || spp_frag2: Shifting to Emegency Session Mode 113 || 10 || spp_frag2: Shifting to Suspend Mode 114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected 114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected 114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected 114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected 115 || 1 || spp_asn1: Indefinite ASN.1 length encoding 115 || 2 || spp_asn1: Invalid ASN.1 length encoding 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length 116 || 1 || snort_decoder: Not IPv4 datagram! 116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! 116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len! 116 || 4 || snort_decoder: Bad IPv4 Options 116 || 5 || snort_decoder: Truncated IPv4 Options 116 || 6 || snort_decoder: WARNING: IP dgm len > captured len! 116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! 116 || 46 || snort_decoder: TCP Data Offset is less than 5! 116 || 47 || snort_decoder: TCP Data Offset is longer than payload! 116 || 54 || snort_decoder: Tcp Options found with bad lengths 116 || 55 || snort_decoder: Truncated Tcp Options 116 || 56 || snort_decoder: T/TCP Detected 116 || 57 || snort_decoder: Obsolete TCP options 116 || 58 || snort_decoder: Experimental TCP options 116 || 59 || snort_decoder: TCP Window Scale Option Scale Invalid (> 14) 116 || 95 || snort_decoder: Truncated UDP Header! 116 || 96 || snort_decoder: Invalid UDP header, length field < 8 116 || 97 || snort_decoder: Short UDP packet, length field > payload length 116 || 98 || snort_decoder: Long UDP packet, length field < payload length 116 || 105 || snort_decoder: ICMP Header Truncated! 116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! 116 || 107 || snort_decoder: ICMP Address Header Truncated! 116 || 108 || snort_decoder: Unknown Datagram decoding problem! 116 || 109 || snort_decoder: Truncated ARP Packet! 116 || 110 || snort_decoder: Truncated EAP Header! 116 || 111 || snort_decoder: EAP Key Truncated! 116 || 112 || snort_decoder: EAP Header Truncated! 116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! 116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! 116 || 131 || snort_decoder: WARNING: Bad LLC header! 116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! 116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! 116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! 116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! 116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! 116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! 116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! 116 || 150 || snort_decoder: Bad Traffic Loopback IP! 116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! 116 || 160 || snort_decoder: WARNING: GRE header length > payload length 116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet 116 || 162 || snort_decoder: WARNING: Invalid GRE version 116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header 116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header 116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length 116 || 170 || snort_decoder: Bad MPLS Frame 116 || 171 || snort_decoder: MPLS Label 0 Appears in Nonbottom Header 116 || 172 || snort_decoder: MPLS Label 1 Appears in Bottom Header 116 || 173 || snort_decoder: MPLS Label 2 Appears in Nonbottom Header 116 || 174 || snort_decoder: Bad use of label 3 116 || 175 || snort_decoder: MPLS Label 4, 5,.. or 15 Appears in Header 116 || 176 || snort_decoder: Too Many MPLS headers 116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated! 116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4! 116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length! 116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits! 116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes! 116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0! 116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit 116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header 116 || 273 || snort_decoder: WARNING: IPV6 truncated header 116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len! 116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len! 116 || 291 || snort_decoder: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack 116 || 400 || snort_decoder: WARNING: XMAS Attack Detected! 116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected! 116 || 402 || snort_decoder: DOS NAPTHA Vulnerability Detected! 116 || 403 || snort_decoder: Bad Traffic SYN to multicast address 116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL 116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) 116 || 406 || snort_decoder: Invalid IPv6 UDP packet, checksum zero 117 || 1 || spp_portscan2: Portscan detected! 118 || 1 || spp_conversation: Bad IP protocol! 119 || 1 || http_inspect: ASCII ENCODING 119 || 2 || http_inspect: DOUBLE DECODING ATTACK 119 || 3 || http_inspect: U ENCODING 119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING 119 || 5 || http_inspect: BASE36 ENCODING 119 || 6 || http_inspect: UTF-8 ENCODING 119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING 119 || 8 || http_inspect: MULTI_SLASH ENCODING 119 || 9 || http_inspect: IIS BACKSLASH EVASION 119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL 119 || 11 || http_inspect: DIRECTORY TRAVERSAL 119 || 12 || http_inspect: APACHE WHITESPACE (TAB) 119 || 13 || http_inspect: NON-RFC HTTP DELIMITER 119 || 14 || http_inspect: NON-RFC DEFINED CHAR 119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY 119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING 119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED 119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL 119 || 19 || http_inspect: LONG HEADER 119 || 20 || http_inspect: MAX HEADERS 119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS 119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded 121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded 122 || 1 || portscan: TCP Portscan 122 || 2 || portscan: TCP Decoy Portscan 122 || 3 || portscan: TCP Portsweep 122 || 4 || portscan: TCP Distributed Portscan 122 || 5 || portscan: TCP Filtered Portscan 122 || 6 || portscan: TCP Filtered Decoy Portscan 122 || 7 || portscan: TCP Filtered Portsweep 122 || 8 || portscan: TCP Filtered Distributed Portscan 122 || 9 || portscan: IP Protocol Scan 122 || 10 || portscan: IP Decoy Protocol Scan 122 || 11 || portscan: IP Protocol Sweep 122 || 12 || portscan: IP Distributed Protocol Scan 122 || 13 || portscan: IP Filtered Protocol Scan 122 || 14 || portscan: IP Filtered Decoy Protocol Scan 122 || 15 || portscan: IP Filtered Protocol Sweep 122 || 16 || portscan: IP Filtered Distributed Protocol Scan 122 || 17 || portscan: UDP Portscan 122 || 18 || portscan: UDP Decoy Portscan 122 || 19 || portscan: UDP Portsweep 122 || 20 || portscan: UDP Distributed Portscan 122 || 21 || portscan: UDP Filtered Portscan 122 || 22 || portscan: UDP Filtered Decoy Portscan 122 || 23 || portscan: UDP Filtered Portsweep 122 || 24 || portscan: UDP Filtered Distributed Portscan 122 || 25 || portscan: ICMP Sweep 122 || 26 || portscan: ICMP Filtered Sweep 122 || 27 || portscan: Open Port 123 || 1 || frag3: IP Options on fragmented packet 123 || 2 || frag3: Teardrop attack 123 || 3 || frag3: Short fragment, possible DoS attempt 123 || 4 || frag3: Fragment packet ends after defragmented packet 123 || 5 || frag3: Zero-byte fragment 123 || 6 || frag3: Bad fragment size, packet size is negative 123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 123 || 8 || frag3: Fragmentation overlap 123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow 123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack 123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly 123 || 12 || frag3: Number of overlapping fragments exceed configured limit 123 || 13 || frag3: Fragments smaller than configured min_fragment_length 124 || 1 || smtp: Attempted command buffer overflow 124 || 2 || smtp: Attempted data header buffer overflow 124 || 3 || smtp: Attempted response buffer overflow 124 || 4 || smtp: Attempted specific command buffer overflow 124 || 5 || smtp: Unknown command 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 124 || 8 || smtp: Attempted X-Link2State command buffer overflow 125 || 1 || ftp_pp: Telnet command on FTP command channel 125 || 2 || ftp_pp: Invalid FTP command 125 || 3 || ftp_pp: FTP parameter length overflow 125 || 4 || ftp_pp: FTP malformed parameter 125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter 125 || 6 || ftp_pp: FTP response length overflow 125 || 7 || ftp_pp: FTP command channel encrypted 125 || 8 || ftp_pp: FTP bounce attack 125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel 126 || 1 || telnet_pp: Telnet consecutive AYT overflow 126 || 2 || telnet_pp: Telnet data encrypted 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End 128 || 1 || ssh: Gobbles exploit 128 || 2 || ssh: SSH1 CRC32 exploit 128 || 3 || ssh: Server version string overflow 128 || 4 || ssh: Protocol mismatch 128 || 5 || ssh: Bad message direction 128 || 6 || ssh: Payload size incorrect for the given payload 128 || 7 || ssh: Failed to detect SSH version string 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 130 || 1 || dcerpc: Maximum memory usage reached 131 || 1 || dns: Obsolete DNS RData Type 131 || 2 || dns: Experimental DNS RData Type 131 || 3 || dns: Client RData TXT Overflow 133 || 1 || dcerpc2: Memory cap exceeded 133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type 133 || 3 || dcerpc2: SMB - Bad SMB message type 133 || 4 || dcerpc2: SMB - Bad SMB Id (not xffSMB) 133 || 5 || dcerpc2: SMB - Bad word count for command 133 || 6 || dcerpc2: SMB - Bad byte count for command 133 || 7 || dcerpc2: SMB - Bad format type for command 133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command 133 || 9 || dcerpc2: SMB - Zero total data count in command 133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length 133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length 133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count 133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size 133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size 133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected 133 || 16 || dcerpc2: SMB - Byte count less than command data size 133 || 17 || dcerpc2: SMB - Invalid command data size for byte count 133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses 133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses 133 || 20 || dcerpc2: SMB - Excessive command chaining 133 || 21 || dcerpc2: SMB - Multiple chained login requests 133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests 133 || 23 || dcerpc2: SMB - Chained login followed by logoff 133 || 24 || dcerpc2: SMB - Chained tree connect followed by tree disconnect 133 || 25 || dcerpc2: SMB - Chained open pipe followed by close pipe 133 || 26 || dcerpc2: SMB - Invalid share access 133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version 133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version 133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type 133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size 133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed 133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified 133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified 133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client 133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size 133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind 133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request 133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request 133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request 133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number 134 || 1 || ppm: rule tree disabled 134 || 2 || ppm: rule tree enabled 135 || 1 || internal: syn received 135 || 2 || internal: session established 135 || 3 || internal: session cleared 139 || 1 || sensitive_data: sensitive data global threshold exceeded
11、SELKS里的suricata的gpl-2.0.txt(非常重要)
GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License.
12、SELKS里的suricata的http-events.rules(非常重要)
# HTTP event rules # # SID's fall in the 2221000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation # # These sigs fire at most once per HTTP transaction. # # A flowint http.anomaly.count is incremented for each match. By default it will be 0. # alert http any any -> any any (msg:"SURICATA HTTP unknown error"; flow:established; app-layer-event:http.unknown_error; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221000; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP gzip decompression failed"; flow:established; app-layer-event:http.gzip_decompression_failed; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221001; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP request field missing colon"; flow:established,to_server; app-layer-event:http.request_field_missing_colon; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221002; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP response field missing colon"; flow:established,to_client; app-layer-event:http.response_field_missing_colon; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221020; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid request chunk len"; flow:established,to_server; app-layer-event:http.invalid_request_chunk_len; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221003; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid response chunk len"; flow:established,to_client; app-layer-event:http.invalid_response_chunk_len; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221004; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding value in request"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221005; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding value in response"; flow:established,to_client; app-layer-event:http.invalid_transfer_encoding_value_in_response; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221006; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid content length field in request"; flow:established,to_server; app-layer-event:http.invalid_content_length_field_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221007; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid content length field in response"; flow:established,to_client; app-layer-event:http.invalid_content_length_field_in_response; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221008; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP status 100-Continue already seen"; flow:established,to_client; app-layer-event:http.100_continue_already_seen; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221009; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP unable to match response to request"; flow:established,to_client; app-layer-event:http.unable_to_match_response_to_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221010; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid server port in request"; flow:established,to_server; app-layer-event:http.invalid_server_port_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221011; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid authority port"; flow:established; app-layer-event:http.invalid_authority_port; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221012; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP request header invalid"; flow:established,to_server; app-layer-event:http.request_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP response header invalid"; flow:established,to_client; app-layer-event:http.response_header_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221021; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP missing Host header"; flow:established,to_server; app-layer-event:http.missing_host_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221014; rev:1;) # Alert if hostname is both part of URL and Host header and they are not the same. alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous"; flow:established,to_server; app-layer-event:http.host_header_ambiguous; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid request field folding"; flow:established,to_server; app-layer-event:http.invalid_request_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP invalid response field folding"; flow:established,to_client; app-layer-event:http.invalid_response_field_folding; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP request buffer too long"; flow:established,to_server; app-layer-event:http.request_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018; rev:1;) alert http any any -> any any (msg:"SURICATA HTTP response buffer too long"; flow:established,to_client; app-layer-event:http.response_field_too_long; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019; rev:1;) # Multipart parser detected generic error. alert http any any -> any any (msg:"SURICATA HTTP multipart generic error"; flow:established,to_server; app-layer-event:http.multipart_generic_error; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221022; rev:1;) # Multipart header claiming a file to present, but no actual filedata available. alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:established,to_server; app-layer-event:http.multipart_no_filedata; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221023; rev:1;) # Multipart header invalid. alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header"; flow:established,to_server; app-layer-event:http.multipart_invalid_header; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024; rev:1;) # Warn when the port in the Host: header doesn't match the actual TCP Server port. alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't match TCP port"; flow:established,to_server; app-layer-event:http.request_server_port_tcp_port_mismatch; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026; rev:1;) # Host part of URI is invalid alert http any any -> any any (msg:"SURICATA HTTP Host part of URI is invalid"; flow:established,to_server; app-layer-event:http.request_uri_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221027; rev:1;) # Host header is invalid alert http any any -> any any (msg:"SURICATA HTTP Host header invalid"; flow:established,to_server; app-layer-event:http.request_header_host_invalid; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221028; rev:1;) # URI is terminated by non-compliant characters. RFC allows for space (0x20), but many implementations permit others like tab and more. alert http any any -> any any (msg:"SURICATA HTTP URI terminated by non-compliant character"; flow:established,to_server; app-layer-event:http.uri_delim_non_compliant; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221029; rev:1;) # Method is terminated by non-compliant characters. RFC allows for space (0x20), but many implementations permit others like tab and more. alert http any any -> any any (msg:"SURICATA HTTP METHOD terminated by non-compliant character"; flow:established,to_server; app-layer-event:http.method_delim_non_compliant; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221030; rev:1;) # Request line started with whitespace alert http any any -> any any (msg:"SURICATA HTTP Request line with leading whitespace"; flow:established,to_server; app-layer-event:http.request_line_leading_whitespace; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221031; rev:1;) # next sid 2221032
13、SELKS里的suricata的LICENSE(非常重要)
# Emerging Threats # # This distribution may contain rules under three different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2014, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # Rules with sids 2800000 through 2900000 are provided by Emerging Threats Pro and are covered by the license # provided in this distribution titled ETPRO-License.txt # #
14、SELKS里的suricata的local.rules(非常重要)
15、SELKS里的suricata的modbus-events.rules(非常重要)
# Modbus Protocol version field is incorrect (Modbus version = 0) alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;) # Response (answer) we didn't see a Request for. Could be packet loss. alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;) # Malformed request or response. Malformed means length field is wrong alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) # Unit identifier field is incorrect alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;) # Modbus Function code is incorrect alert modbus any any -> any any (msg:"SURICATA Modbus invalid Function code"; app-layer-event:modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; rev:2;) # Modbus Request/Response value field is incorrect alert modbus any any -> any any (msg:"SURICATA Modbus invalid Value"; app-layer-event:modbus.invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;) # Modbus Expception code is incorrect alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;) # Value field in Modbus Response does not match with Modbus Request alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;) # Request Flood Detected alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)
16、SELKS里的suricata的ntp-events.rules(非常重要)
# NTP app layer event rules # # SID's fall in the 2222000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer # # These sigs fire at most once per connection. # alert ntp any any -> any any (msg:"SURICATA NTP malformed request data"; flow:to_server; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222000; rev:1;) alert ntp any any -> any any (msg:"SURICATA NTP malformed response data"; flow:to_client; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222001; rev:1;)
17、SELKS里的suricata的reference.config(非常重要)
# config reference: system URL config reference: bugtraq http://www.securityfocus.com/bid/ config reference: bid http://www.securityfocus.com/bid/ config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= #config reference: cve http://cvedetails.com/cve/ config reference: secunia http://www.secunia.com/advisories/ #whitehats is unfortunately gone config reference: arachNIDS http://www.whitehats.com/info/IDS config reference: McAfee http://vil.nai.com/vil/content/v_ config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= config reference: url http:// config reference: et http://doc.emergingthreats.net/ config reference: etpro http://doc.emergingthreatspro.com/ config reference: telus http:// config reference: osvdb http://osvdb.org/show/osvdb/ config reference: threatexpert http://www.threatexpert.com/report.aspx?md5= config reference: md5 http://www.threatexpert.com/report.aspx?md5= config reference: exploitdb http://www.exploit-db.com/exploits/ config reference: openpacket https://www.openpacket.org/capture/grab/ config reference: securitytracker http://securitytracker.com/id? config reference: secunia http://secunia.com/advisories/ config reference: xforce http://xforce.iss.net/xforce/xfdb/ config reference: msft http://technet.microsoft.com/security/bulletin/
18、SELKS里的suricata的scirius.rules(非常重要)
这里由于太长,未粘贴了。
19、SELKS里的suricata的sid-msg.map(非常重要)
因为太长,所以未粘贴了。
20、SELKS里的suricata的smtp-events.rules(非常重要)
# SMTP event rules # # SID's fall in the 2220000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation # # These sigs fire at most once per connection. # # A flowint smtp.anomaly.count is incremented for each match. By default it will be 0. # alert smtp any any -> any any (msg:"SURICATA SMTP invalid reply"; flow:established,to_client; app-layer-event:smtp.invalid_reply; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220000; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP unable to match reply with request"; flow:established,to_client; app-layer-event:smtp.unable_to_match_reply_with_request; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220001; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP max command line len exceeded"; flow:established; app-layer-event:smtp.max_command_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220002; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP max reply line len exceeded"; flow:established,to_client; app-layer-event:smtp.max_reply_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220003; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP invalid pipelined sequence"; flow:established,to_server; app-layer-event:smtp.invalid_pipelined_sequence; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220004; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP bdat chunk len exceeded"; flow:established; app-layer-event:smtp.bdat_chunk_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220005; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP no server welcome message"; flow:established,to_client; app-layer-event:smtp.no_server_welcome_message; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220006; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP tls rejected"; flow:established; app-layer-event:smtp.tls_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220007; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP data command rejected"; flow:established,to_client; app-layer-event:smtp.data_command_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220008; rev:1;) # SMTP MIME events #alert smtp any any -> any any (msg:"SURICATA SMTP Mime parser failed"; flow:established; app-layer-event:smtp.mime_parse_failed; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220009; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime malformed message found"; flow:established; app-layer-event:smtp.mime_malformed_msg; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220010; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime base64-decoding failed"; flow:established; app-layer-event:smtp.mime_invalid_base64; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220011; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime header name len exceeded"; flow:established; app-layer-event:smtp.mime_long_header_name; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220012; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime header value len exceeded"; flow:established; app-layer-event:smtp.mime_long_header_value; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220013; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime quoted-printable-decoding failed"; flow:established; app-layer-event:smtp.mime_invalid_qp; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220014; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime line len exceeded"; flow:established; app-layer-event:smtp.mime_long_line; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220015; rev:1;) #alert smtp any any -> any any (msg:"SURICATA SMTP Mime encoded line len exceeded"; flow:established; app-layer-event:smtp.mime_long_enc_line; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220016; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP Mime boundary length exceeded"; flow:established,to_server; app-layer-event:smtp.mime_long_boundary; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220017; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP duplicate fields"; flow:established,to_server; app-layer-event:smtp.duplicate_fields; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220018; rev:1;) alert smtp any any -> any any (msg:"SURICATA SMTP unparsable content"; flow:established,to_server; app-layer-event:smtp.unparsable_content; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220019; rev:1;) # next sid 2220020
21、SELKS里的suricata的stream-events.rules(非常重要)
# Stream events -- rules for matching on TCP stream engine events. # # SID's fall in the 2210000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation # alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake with ack in wrong dir"; stream-event:3whs_ack_in_wrong_dir; classtype:protocol-command-decode; sid:2210000; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake async wrong sequence"; stream-event:3whs_async_wrong_seq; classtype:protocol-command-decode; sid:2210001; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake right seq wrong ack evasion"; stream-event:3whs_right_seq_wrong_ack_evasion; classtype:protocol-command-decode; sid:2210002; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK in wrong direction"; stream-event:3whs_synack_in_wrong_direction; classtype:protocol-command-decode; sid:2210003; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend with different ack"; stream-event:3whs_synack_resend_with_different_ack; classtype:protocol-command-decode; sid:2210004; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend with different seq"; stream-event:3whs_synack_resend_with_diff_seq; classtype:protocol-command-decode; sid:2210005; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK to server on SYN recv"; stream-event:3whs_synack_toserver_on_syn_recv; classtype:protocol-command-decode; sid:2210006; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK with wrong ack"; stream-event:3whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210007; rev:2;) # Excessive SYN/ACKs within a session. Limit is set in stream engine, "stream.max-synack-queued". alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake excessive different SYN/ACKs"; stream-event:3whs_synack_flood; classtype:protocol-command-decode; sid:2210055; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv; classtype:protocol-command-decode; sid:2210008; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; classtype:protocol-command-decode; sid:2210009; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; classtype:protocol-command-decode; sid:2210010; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong ACK"; stream-event:4whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210011; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong SYN"; stream-event:4whs_synack_with_wrong_syn; classtype:protocol-command-decode; sid:2210012; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq"; stream-event:4whs_wrong_seq; classtype:protocol-command-decode; sid:2210013; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake invalid ack"; stream-event:4whs_invalid_ack; classtype:protocol-command-decode; sid:2210014; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT ACK out of window"; stream-event:closewait_ack_out_of_window; classtype:protocol-command-decode; sid:2210015; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT FIN out of window"; stream-event:closewait_fin_out_of_window; classtype:protocol-command-decode; sid:2210016; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT invalid ACK"; stream-event:closewait_invalid_ack; classtype:protocol-command-decode; sid:2210017; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING ACK wrong seq"; stream-event:closing_ack_wrong_seq; classtype:protocol-command-decode; sid:2210018; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING invalid ACK"; stream-event:closing_invalid_ack; classtype:protocol-command-decode; sid:2210019; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of window"; stream-event:est_packet_out_of_window; classtype:protocol-command-decode; sid:2210020; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend"; stream-event:est_synack_resend; classtype:protocol-command-decode; sid:2210022; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend with different ACK"; stream-event:est_synack_resend_with_different_ack; classtype:protocol-command-decode; sid:2210023; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend with different seq"; stream-event:est_synack_resend_with_diff_seq; classtype:protocol-command-decode; sid:2210024; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK to server"; stream-event:est_synack_toserver; classtype:protocol-command-decode; sid:2210025; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend"; stream-event:est_syn_resend; classtype:protocol-command-decode; sid:2210026; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend with different seq"; stream-event:est_syn_resend_diff_seq; classtype:protocol-command-decode; sid:2210027; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN to client"; stream-event:est_syn_toclient; classtype:protocol-command-decode; sid:2210028; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED invalid ack"; stream-event:est_invalid_ack; classtype:protocol-command-decode; sid:2210029; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN invalid ack"; stream-event:fin_invalid_ack; classtype:protocol-command-decode; sid:2210030; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 ack with wrong seq"; stream-event:fin1_ack_wrong_seq; classtype:protocol-command-decode; sid:2210031; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 FIN with wrong seq"; stream-event:fin1_fin_wrong_seq; classtype:protocol-command-decode; sid:2210032; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 invalid ack"; stream-event:fin1_invalid_ack; classtype:protocol-command-decode; sid:2210033; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 ack with wrong seq"; stream-event:fin2_ack_wrong_seq; classtype:protocol-command-decode; sid:2210034; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 FIN with wrong seq"; stream-event:fin2_fin_wrong_seq; classtype:protocol-command-decode; sid:2210035; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 invalid ack"; stream-event:fin2_invalid_ack; classtype:protocol-command-decode; sid:2210036; rev:2;) # very common when looking at midstream traffic after IDS started #alert tcp any any -> any any (msg:"SURICATA STREAM FIN recv but no session"; stream-event:fin_but_no_session; classtype:protocol-command-decode; sid:2210037; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM FIN out of window"; stream-event:fin_out_of_window; classtype:protocol-command-decode; sid:2210038; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK with wrong seq"; stream-event:lastack_ack_wrong_seq; classtype:protocol-command-decode; sid:2210039; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK invalid ACK"; stream-event:lastack_invalid_ack; classtype:protocol-command-decode; sid:2210040; rev:2;) # very common when looking at midstream traffic after IDS started #alert tcp any any -> any any (msg:"SURICATA STREAM RST recv but no session"; stream-event:rst_but_no_session; classtype:protocol-command-decode; sid:2210041; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT invalid ack"; stream-event:timewait_invalid_ack; classtype:protocol-command-decode; sid:2210043; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp"; stream-event:pkt_invalid_timestamp; classtype:protocol-command-decode; sid:2210044; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid ack"; stream-event:pkt_invalid_ack; classtype:protocol-command-decode; sid:2210045; rev:2;) # Broken TCP: ack field non 0, but ACK flag not set. http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set # Often result of broken load balancers, firewalls and such. #alert tcp any any -> any any (msg:"SURICATA STREAM Packet with broken ack"; stream-event:pkt_broken_ack; classtype:protocol-command-decode; sid:2210051; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM SHUTDOWN RST invalid ack"; stream-event:rst_invalid_ack; classtype:protocol-command-decode; sid:2210046; rev:2;) # SYN (re)send during shutdown (closing, closewait, finwait1, finwait2, lastack, timewait states) #alert tcp any any -> any any (msg:"SURICATA STREAM SYN resend"; stream-event:shutdown_syn_resend; classtype:protocol-command-decode; sid:2210049; rev:2;) # Sequence gap: missing data in the reassembly engine. Usually due to packet loss. Will be very noisy on a overloaded link / sensor. #alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; classtype:protocol-command-decode; sid:2210048; rev:2;) alert tcp any any -> any any (msg:"SURICATA STREAM reassembly overlap with different data"; stream-event:reassembly_overlap_different_data; classtype:protocol-command-decode; sid:2210050; rev:2;) # Bad Window Update: see bug 1238 for an explanation alert tcp any any -> any any (msg:"SURICATA STREAM bad window update"; stream-event:pkt_bad_window_update; classtype:protocol-command-decode; sid:2210056; rev:1;) # retransmission detection # # The rules below match on retransmissions detected in various stages of the # stream engine. They are all "noalert" rules that increment the counter # tcp.retransmission.count. The last rule sid:2210054 matches if the counter # reaches 10. Increase this number if the rule is too noisy. # # "regular" retransmissions, only count alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED retransmission packet before last ack"; stream-event:est_pkt_before_last_ack; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210021; rev:3;) # retransmission, only count alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT retransmission packet before last ack"; stream-event:closewait_pkt_before_last_ack; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210052; rev:3;) # retransmission of pkt before reassembly window, only count alert tcp any any -> any any (msg:"SURICATA STREAM reassembly segment before base seq (retransmission)"; stream-event:reassembly_segment_before_base_seq; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210047; rev:2;) # count "general" retransmissions alert tcp any any -> any any (msg:"SURICATA STREAM Packet is retransmission"; stream-event:pkt_retransmission; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210053; rev:1;) # rule to alert if a stream has excessive retransmissions alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;) # next sid 2210057
22、SELKS里的suricata的suricata-1.3-etpro-etnamed.yaml(非常重要)
%YAML 1.1 --- # Suricata configuration file. In addition to the comments describing all # options in this file, full documentation can be found at: # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml # NOTE: This version of the Suricata.yaml file is modified by the Emerging Threats # Pro Team to reflect the default assumptions on inspection depths. Comments have been # added to note where users may tune defaults back where performance is a # concern. The default stance of this config is maximum detection. # Decisions on features such as file extraction and pcap logging must be made # locally. These are left at defaults. # Number of packets allowed to be processed simultaneously. Default is a # conservative 1024. A higher number will make sure CPU's/CPU cores will be # more easily kept busy, but may negatively impact caching. # # If you are using the CUDA pattern matcher (b2g_cuda below), different rules # apply. In that case try something like 4000 or more. This is because the CUDA # pattern matcher scans many packets in parallel. max-pending-packets: 5000 # Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned # load balancing). #runmode: autofp # Specifies the kind of flow load balancer used by the flow pinned autofp mode. # # Supported schedulers are: # # round-robin - Flows assigned to threads in a round robin fashion. # active-packets - Flows assigned to threads that have the lowest number of # unprocessed packets (default). # hash - Flow alloted usihng the address hash. More of a random # technique. Was the default in Suricata 1.2.1 and older. # #autofp-scheduler: active-packets # Default pid file. # Will use this file if no --pidfile in command options. #pid-file: /var/run/suricata.pid # Preallocated size for packet. Default is 1514 which is the classical # size for pcap on ethernet. You should adjust this value to the highest # packet size (MTU + hardware header) on your system. #default-packet-size: 1514 # The default logging directory. Any log or output file will be # placed here if its not specified with a full path name. This can be # overridden with the -l command line parameter. default-log-dir: /var/log/suricata/ # Unix command socket can be used to pass commands to suricata. # An external tool can then connect to get information from suricata # or trigger some modification of the engine. #unix-command: yes # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: fast.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # alert output for use with Barnyard2 - unified2-alert: enabled: yes filename: unified2.alert # File size limit. Can be specified in kb, mb, gb. Just a number # is parsed as bytes. #limit: 32mb # a line based log of HTTP requests (no alerts) - http-log: enabled: yes filename: http.log append: yes #extended: yes # enable this for extended logging information #custom: yes # enabled the custom logging format (defined by customformat) #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # a line based log of TLS handshake parameters (no alerts) - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs. extended: yes # Log extended information like fingerprint certs-log-dir: certs # directory to store the certificates files # a line based log to used with pcap file study. # this module is dedicated to offline pcap parsing (empty output # if used with another kind of input). It can interoperate with # pcap parser like wireshark via the suriwire plugin. - pcap-info: enabled: no # Packet log... log packets in pcap format. 2 modes of operation: "normal" # and "sguil". # # In normal mode a pcap file "filename" is created in the default-log-dir, # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. # In this base dir the pcaps are created in th directory structure Sguil expects: # # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> # # By default all packets are logged except: # - TCP streams beyond stream.reassembly.depth # - encrypted streams after the key exchange # - pcap-log: enabled: no filename: log.pcap # File size limit. Can be specified in kb, mb, gb. Just a number # is parsed as bytes. limit: 1000mb # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" max-files: 2000 mode: normal # normal or sguil. #sguil-base-dir: /nsm_data/ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets # a full alerts log containing much information for signature writers # or for investigating suspected false positives. - alert-debug: enabled: no filename: alert-debug.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # alert output to prelude (http://www.prelude-technologies.com/) only # available if Suricata has been compiled with --enable-prelude - alert-prelude: enabled: no profile: suricata log-packet-content: no log-packet-header: yes # Stats.log contains data from various counters of the suricata engine. # The interval field (in seconds) tells after how long output will be written # on the log file. - stats: enabled: yes filename: stats.log interval: 8 # a line based alerts log similar to fast.log into syslog - syslog: enabled: yes # reported identity to syslog. If ommited the program name (usually # suricata) will be used. #identity: "suricata" facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug # a line based information for dropped packets in IPS mode - drop: enabled: no filename: drop.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # output module to store extracted files to disk # # The files are stored to the log-dir in a format "file.<id>" where <id> is # an incrementing number starting at 1. For each file "file.<id>" a meta # file "file.<id>.meta" is created. # # File extraction depends on a lot of things to be fully done: # - stream reassembly depth. For optimal results, set this to 0 (unlimited) # - http request / response body sizes. Again set to 0 for optimal results. # - rules that contain the "filestore" keyword. - file-store: enabled: no # set to yes to enable log-dir: files # directory to store the files force-magic: no # force logging magic on all stored files force-md5: no # force logging of md5 checksums #waldo: file.waldo # waldo file to store the file_id across runs # output module to log files tracked in a easily parsable json format - file-log: enabled: no filename: files-json.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' force-magic: no # force logging magic on all logged files force-md5: no # force logging of md5 checksums # Magic file. The extension .mgc is added to the value here. #magic-file: /usr/share/file/magic magic-file: /usr/share/file/magic # When running in NFQ inline mode, it is possible to use a simulated # non-terminal NFQUEUE verdict. # This permit to do send all needed packet to suricata via this a rule: # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE # And below, you can have your standard filtering ruleset. To activate # this mode, you need to set mode to 'repeat' # If you want packet to be sent to another queue after an ACCEPT decision # set mode to 'route' and set next-queue value. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel # accept the packet if suricata is not able to keep pace. nfq: # mode: accept # repeat-mark: 1 # repeat-mask: 1 # route-queue: 2 # fail-open: yes # af-packet support # Set threads to > 1 to use PACKET_FANOUT support af-packet: - interface: eth0 # Number of receive threads (>1 will enable experimental flow pinned # runmode) threads: 1 # Default clusterid. AF_PACKET will load balance packets based on flow. # All threads/processes that will participate need to have the same # clusterid. cluster-id: 99 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. # This is only supported for Linux kernel > 3.1 # possible value are: # * cluster_round_robin: round robin load balancing # * cluster_flow: all packets of a given flow are send to the same socket # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket cluster-type: cluster_flow # In some fragmentation case, the hash can not be computed. If "defrag" is set # to yes, the kernel will do the needed defragmentation before sending the packets. defrag: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes use-mmap: yes # Ring size will be computed with respect to max_pending_packets and number # of threads. You can set manually the ring size in number of packets by setting # the following value. If you are using flow cluster-type and have really network # intensive single-flow you could want to set the ring-size independantly of the number # of threads: #ring-size: 2048 # On busy system, this could help to set it to yes to recover from a packet drop # phase. This will result in some packets (at max a ring flush) being non treated. #use-emergency-flush: yes # recv buffer size, increase value could improve performance # buffer-size: 32768 # Set to yes to disable promiscuous mode # disable-promisc: no # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - kernel: use indication sent by kernel for each packet (default) # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: kernel # BPF filter to apply to this interface. The pcap filter syntax apply here. #bpf-filter: port 80 or udp # You can use the following variables to activate AF_PACKET tap od IPS mode. # If copy-mode is set to ips or tap, the traffic coming to the current # interface will be copied to the copy-iface interface. If 'tap' is set, the # copy is complete. If 'ips' is set, the packet matching a 'drop' action # will not be copied. #copy-mode: ips #copy-iface: eth1 - interface: eth1 threads: 1 cluster-id: 98 cluster-type: cluster_flow defrag: yes # buffer-size: 32768 # disable-promisc: no # You can specify a threshold config file by setting "threshold-file" # to the path of the threshold config file: # threshold-file: /etc/suricata/threshold.config # The detection engine builds internal groups of signatures. The engine # allow us to specify the profile to use for them, to manage memory on an # efficient way keeping a good performance. For the profile keyword you # can use the words "low", "medium", "high" or "custom". If you use custom # make sure to define the values at "- custom-values" as your convenience. # Usually you would prefer medium/high/low. # # "sgh mpm-context", indicates how the staging should allot mpm contexts for # the signature groups. "single" indicates the use of a single context for # all the signature group heads. "full" indicates a mpm-context for each # group head. "auto" lets the engine decide the distribution of contexts # based on the information the engine gathers on the patterns from each # group head. # # The option inspection-recursion-limit is used to limit the recursive calls # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect-engine: - profile: medium - custom-values: toclient-src-groups: 2 toclient-dst-groups: 2 toclient-sp-groups: 2 toclient-dp-groups: 3 toserver-src-groups: 2 toserver-dst-groups: 4 toserver-sp-groups: 2 toserver-dp-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 # When rule-reload is enabled, sending a USR2 signal to the Suricata process # will trigger a live rule reload. Experimental feature, use with care. #- rule-reload: true # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #- delayed-detect: yes # Suricata is multi-threaded. Here the threading can be influenced. threading: # On some cpu's/architectures it is beneficial to tie individual threads # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, # and each extra CPU/core has one "detect" thread. # # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. # set-cpu-affinity: no # Tune cpu affinity of suricata threads. Each family of threads can be bound # on specific CPUs. cpu-affinity: - management-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - receive-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - decode-cpu-set: cpu: [ 0, 1 ] mode: "balanced" - stream-cpu-set: cpu: [ "0-1" ] - detect-cpu-set: cpu: [ "all" ] mode: "exclusive" # run detect threads in these cpus # Use explicitely 3 threads and don't compute number by using # detect-thread-ratio variable: # threads: 3 prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - verdict-cpu-set: cpu: [ 0 ] prio: default: "high" - reject-cpu-set: cpu: [ 0 ] prio: default: "low" - output-cpu-set: cpu: [ "all" ] prio: default: "medium" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this # will result in 4 detect threads. If values below 1 are used, less threads # are created. So on a dual core CPU a setting of 0.5 results in 1 detect # thread being created. Regardless of the setting at a minimum 1 detect # thread will always be created. # detect-thread-ratio: 1.5 # Cuda configuration. cuda: # The "mpm" profile. On not specifying any of these parameters, the engine's # internal default values are used, which are same as the ones specified here. - mpm: # Threshold limit for no of packets buffered to the GPU. Once we hit this # limit, we pass the buffer to the gpu. packet-buffer-limit: 2400 # The maximum length for a packet that we would buffer to the gpu. # Anything over this is MPM'ed on the CPU. All entries > 0 are valid. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. packet-size-limit: 1500 # No of packet buffers we initialize. All entries > 0 are valid. packet-buffers: 10 # The timeout limit for batching of packets in secs. If we don't fill the # buffer within this timeout limit, we pass the currently filled buffer to the gpu. # All entries > 0 are valid. batching-timeout: 1 # Specifies whether to use page-locked memory whereever possible. Accepted values # are "enabled" and "disabled". page-locked: enabled # The device to use for the mpm. Currently we don't support load balancing # on multiple gpus. In case you have multiple devices on your system, you # can specify the device to use, using this conf. By default we hold 0, to # specify the first device cuda sees. To find out device-id associated with # the card(s) on the system run "suricata --list-cuda-cards". device-id: 0 # No of Cuda streams used for asynchronous processing. All values > 0 are valid. # For this option you need a device with Compute Capability > 1.0 and # page-locked enabled to have any effect. cuda-streams: 2 # Select the multi pattern algorithm you want to run for scan/search the # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, # ac and ac-gfbs. # # The mpm you choose also decides the distribution of mpm contexts for # signature groups, specified by the conf - "detect-engine.sgh-mpm-context". # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" # to be set to "single", because of ac's memory requirements, unless the # ruleset is small enough to fit in one's memory, in which case one can # use "full" with "ac". Rest of the mpms can be run in "full" mode. # # There is also a CUDA pattern matcher (only available if Suricata was # compiled with --enable-cuda: b2g_cuda. Make sure to update your # max-pending-packets setting above as well if you use b2g_cuda. mpm-algo: ac # The memory settings for hash size of these algorithms can vary from lowest # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max # (65536). The bloomfilter sizes of these algorithms can vary from low (512) - # medium (1024) - high (2048). # # For B2g/B3g algorithms, there is a support for two different scan/search # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & # B3gSearchBNDMq. # # For B2g the different scan/search algorithms and, hash and bloom # filter size settings. For B3g the different scan/search algorithms and, hash # and bloom filter size settings. For wumanber the hash and bloom filter size # settings. pattern-matcher: - b2gc: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2gm: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2g: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b3g: search-algo: B3gSearchBNDMq hash-size: low bf-size: medium - wumanber: hash-size: low bf-size: medium # Defrag settings: defrag: trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 # Flow settings: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. # The hash-size determine the size of the hash used to identify flows inside # the engine, and by default the value is 65536. # At the startup, the engine can preallocate a number of flows, to get a better # performance. The number of flows preallocated is 10000 by default. # emergency-recovery is the percentage of flows that the engine need to # prune before unsetting the emergency state. The emergency state is activated # when the memcap limit is reached, allowing to create new flows, but # prunning them with the emergency timeouts (they are defined below). # If the memcap is reached, the engine will try to prune flows # with the default timeouts. If it doens't find a flow to prune, it will set # the emergency bit and it will try again with more agressive timeouts. # If that doesn't work, then it will try to kill the last time seen flows # not in use. # The memcap can be specified in kb, mb, gb. Just a number indicates it's # in bytes. flow: memcap: 32mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each # protocol. The value of "new" determine the seconds to wait after a hanshake or # stream startup before the engine free the data of that flow it doesn't # change the state to established (usually if we don't receive more packets # of that flow). The value of "established" is the amount of # seconds that the engine will wait to free the flow if it spend that amount # without receiving new packets or closing the connection. "closed" is the # amount of time to wait after a flow is closed (usually zero). # # There's an emergency mode that will become active under attack circumstances, # making the engine to check flow status faster. This configuration variables # use the prefix "emergency-" and work similar as the normal ones. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and # icmp. flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 # Stream engine settings. Here the TCP stream tracking and reaasembly # engine is configured. # # stream: # memcap: 32mb # Can be specified in kb, mb, gb. Just a # # number indicates it's in bytes. # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as # # "yes", then packet with invalid csum will not # # be processed by the engine stream/app layer. # # Warning: locally generated trafic can be # # generated without checksum due to hardware offload # # of checksum. You can control the handling of checksum # # on a per-interface basis via the 'checksum-checks' # # option # max-sessions: 262144 # 256k concurrent sessions # prealloc-sessions: 32768 # 32k sessions prealloc'd # midstream: false # don't allow midstream session pickups # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # # reassembly: # memcap: 64mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # depth: 1mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. stream: memcap: 32mb checksum-validation: yes # reject wrong csums inline: no # no inline mode reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 # Host table: # # Host table is used by tagging and per host thresholding subsystems. # host: hash-size: 4096 prealloc: 1000 memcap: 16777216 # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. logging: # The default log level, can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: info # The default output format. Optional parameter, should default to # something reasonable if not provided. Can be overriden in an # output section. You can leave this out to get the default. # # This value is overriden by the SC_LOG_FORMAT env var. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # # This value is overriden by the SC_LOG_OP_FILTER env var. default-output-filter: # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: yes - file: enabled: yes filename: /var/log/suricata.log - syslog: enabled: yes facility: local5 format: "[%i] <%d> -- " # PF_RING configuration. for use with native PF_RING support # for more info see http://www.ntop.org/PF_RING.html pfring: - interface: eth0 # Number of receive threads (>1 will enable experimental flow pinned # runmode) threads: 1 # Default clusterid. PF_RING will load balance packets based on flow. # All threads/processes that will participate need to have the same # clusterid. cluster-id: 99 # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. # This is only supported in versions of PF_RING > 4.1.1. cluster-type: cluster_round_robin # bpf filter for this interface #bpf-filter: tcp # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - rxonly: only compute checksum for packets received by network card. # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # Second interface #- interface: eth1 # threads: 3 # cluster-id: 93 # cluster-type: cluster_flow pcap: - interface: eth0 #buffer-size: 32768 #bpf-filter: "tcp and port 25" # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # For FreeBSD ipfw(8) divert(4) support. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" # in /etc/loader.conf or kldload'ing the appropriate kernel modules. # Additionally, you need to have an ipfw rule for the engine to see # the packets from ipfw. For Example: # # ipfw add 100 divert 8000 ip from any to any # # The 8000 above should be the same number you passed on the command # line, i.e. -d 8000 # ipfw: # Reinject packets at the specified ipfw rule number. This config # option is the ipfw rule number AT WHICH rule processing continues # in the ipfw processing system after the engine has finished # inspecting the packet for acceptance. If no rule number is specified, # accepted packets are reinjected at the divert rule which they entered # and IPFW rule processing continues. No check is done to verify # this will rule makes sense so care must be taken to avoid loops in ipfw. # ## The following example tells the engine to reinject packets # back into the ipfw firewall AT rule number 5500: # # ipfw-reinjection-rule-number: 5500 # Set the default rule path here to search for the files. # if not set, it will look at the current working dir default-rule-path: /etc/suricata/rules/ rule-files: #Malware/trojan oriented rules - etpro-trojan.rules - etpro-malware.rules - etpro-mobile_malware.rules - etpro-worm.rules - etpro-user_agents.rules - etpro-current_events.rules #important but relatively low load rules you'll likely want to keep on - etpro-ftp.rules - etpro-pop3.rules - etpro-rpc.rules - etpro-attack_response.rules # - etpro-icmp.rules - etpro-scan.rules - etpro-voip.rules - etpro-imap.rules - etpro-web_server.rules - etpro-smtp.rules - etpro-dns.rules - etpro-misc.rules - etpro-snmp.rules - etpro-sql.rules - etpro-dos.rules - etpro-telnet.rules - etpro-exploit.rules - etpro-tftp.rules #useful but often high load rules. Look here for performance tuning - etpro-web_client.rules - etpro-netbios.rules #things you'll want to look through and consider policy needs - etpro-policy.rules # - etpro-games.rules - etpro-p2p.rules - etpro-chat.rules #informational, not recommended for high speed nets # - etpro-icmp_info.rules # - etpro-info.rules # - etpro-shellcode.rules # - etpro-inappropriate.rules # - etpro-web_specific_apps.rules # - etpro-activex.rules #ip based rules - botcc.rules - ciarmy.rules - compromised.rules - drop.rules - dshield.rules - tor.rules #only use the scada_special if you have the scada extensions compiled int # - etpro-scada_special.rules # - etpro-scada.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config # Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. # These would be retrieved during the Signature address parsing stage. address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" # Holds the port group vars that would be passed in a Signature. # These would be retrieved during the Signature port parsing stage. port-groups: HTTP_PORTS: "[80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 # Set the order of alerts bassed on actions # The default order is pass, drop, reject, alert action-order: - pass - drop - reject - alert # Host specific policies for defragmentation and TCP stream # reassembly. The host OS lookup is done using a radix tree, just # like a routing table so the most specific entry matches. host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir # given by the parameter "default-log-dir", with engine reporting # subsection below printing reports in its own report file. engine-analysis: # enables printing reports for fast-pattern for every rule. rules-fast-pattern: yes # enables printing reports for each rule rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 ########################################################################### # Configure libhtp. # # # default-config: Used when no server-config matches # personality: List of personalities used by default # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. # double-decode-path: Double decode path section of the URI # double-decode-query: Double decode query section of the URI # # server-config: List of server configurations to use if address matches # address: List of ip addresses or networks for this block # personalitiy: List of personalities used by this block # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. # double-decode-path: Double decode path section of the URI # double-decode-query: Double decode query section of the URI # # Currently Available Personalities: # Minimal # Generic # IDS (default) # IIS_4_0 # IIS_5_0 # IIS_5_1 # IIS_6_0 # IIS_7_0 # IIS_7_5 # Apache # Apache_2_2 ########################################################################### libhtp: default-config: personality: IDS # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. request-body-limit: 0 response-body-limit: 0 double-decode-path: no double-decode-query: no ##### Set proper personality for your net ####### # server-config: # - apache: # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] # personality: Apache_2_2 # # Can be specified in kb, mb, gb. Just a number indicates # # it's in bytes. # request-body-limit: 0 # response-body-limit: 0 # double-decode-path: no # double-decode-query: no # # - iis7: # address: # - 192.168.0.0/24 # - 192.168.10.0/24 # personality: IIS_7_0 # # Can be specified in kb, mb, gb. Just a number indicates # # it's in bytes. # request-body-limit: 0 # response-body-limit: 0 # double-decode-path: no # double-decode-query: no # Profiling settings. Only effective if Suricata has been built with the # the --enable-profiling configure flag. # profiling: # rule profiling rules: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: rule_perf.log append: yes # Sort options: ticks, avgticks, checks, matches, maxticks sort: avgticks # Limit the number of items printed at exit. #limit: 100 # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: packet_stats.log append: yes # per packet csv output csv: # Output can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.csv # profiling of locking. Only available when Suricata was built with # --enable-profiling-locks. locks: enabled: no filename: lock_stats.log append: yes # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On # Linux, the actual core dump size may be a few pages larger than max-dump. # Setting max-dump to 0 disables core dumping. # Setting max-dump to 'unlimited' will give the full core dump file. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size # to be 'unlimited'. coredump: max-dump: unlimited
23、SELKS里的suricata的suricata-1.3-open.txt(非常重要)
这里面,默认是为空的。
24、SELKS里的suricata的suricata-1.3-open.yaml(非常重要)
%YAML 1.1 --- # Suricata configuration file. In addition to the comments describing all # options in this file, full documentation can be found at: # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml # NOTE: This version of the Suricata.yaml file is modified by the Emerging Threats # Pro Team to reflect the default assumptions on inspection depths. Comments have been # added to note where users may tune defaults back where performance is a # concern. The default stance of this config is maximum detection. # Decisions on features such as file extraction and pcap logging must be made # locally. These are left at defaults. # Number of packets allowed to be processed simultaneously. Default is a # conservative 1024. A higher number will make sure CPU's/CPU cores will be # more easily kept busy, but may negatively impact caching. # # If you are using the CUDA pattern matcher (b2g_cuda below), different rules # apply. In that case try something like 4000 or more. This is because the CUDA # pattern matcher scans many packets in parallel. max-pending-packets: 5000 # Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned # load balancing). #runmode: autofp # Specifies the kind of flow load balancer used by the flow pinned autofp mode. # # Supported schedulers are: # # round-robin - Flows assigned to threads in a round robin fashion. # active-packets - Flows assigned to threads that have the lowest number of # unprocessed packets (default). # hash - Flow alloted usihng the address hash. More of a random # technique. Was the default in Suricata 1.2.1 and older. # #autofp-scheduler: active-packets # Default pid file. # Will use this file if no --pidfile in command options. #pid-file: /var/run/suricata.pid # Preallocated size for packet. Default is 1514 which is the classical # size for pcap on ethernet. You should adjust this value to the highest # packet size (MTU + hardware header) on your system. #default-packet-size: 1514 # The default logging directory. Any log or output file will be # placed here if its not specified with a full path name. This can be # overridden with the -l command line parameter. default-log-dir: /var/log/suricata/ # Unix command socket can be used to pass commands to suricata. # An external tool can then connect to get information from suricata # or trigger some modification of the engine. #unix-command: yes # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: fast.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # alert output for use with Barnyard2 - unified2-alert: enabled: yes filename: unified2.alert # File size limit. Can be specified in kb, mb, gb. Just a number # is parsed as bytes. #limit: 32mb # a line based log of HTTP requests (no alerts) - http-log: enabled: yes filename: http.log append: yes #extended: yes # enable this for extended logging information #custom: yes # enabled the custom logging format (defined by customformat) #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # a line based log of TLS handshake parameters (no alerts) - tls-log: enabled: yes # Log TLS connections. filename: tls.log # File to store TLS logs. extended: yes # Log extended information like fingerprint certs-log-dir: certs # directory to store the certificates files # a line based log to used with pcap file study. # this module is dedicated to offline pcap parsing (empty output # if used with another kind of input). It can interoperate with # pcap parser like wireshark via the suriwire plugin. - pcap-info: enabled: no # Packet log... log packets in pcap format. 2 modes of operation: "normal" # and "sguil". # # In normal mode a pcap file "filename" is created in the default-log-dir, # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. # In this base dir the pcaps are created in th directory structure Sguil expects: # # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> # # By default all packets are logged except: # - TCP streams beyond stream.reassembly.depth # - encrypted streams after the key exchange # - pcap-log: enabled: no filename: log.pcap # File size limit. Can be specified in kb, mb, gb. Just a number # is parsed as bytes. limit: 1000mb # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" max-files: 2000 mode: normal # normal or sguil. #sguil-base-dir: /nsm_data/ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets # a full alerts log containing much information for signature writers # or for investigating suspected false positives. - alert-debug: enabled: no filename: alert-debug.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # alert output to prelude (http://www.prelude-technologies.com/) only # available if Suricata has been compiled with --enable-prelude - alert-prelude: enabled: no profile: suricata log-packet-content: no log-packet-header: yes # Stats.log contains data from various counters of the suricata engine. # The interval field (in seconds) tells after how long output will be written # on the log file. - stats: enabled: yes filename: stats.log interval: 8 # a line based alerts log similar to fast.log into syslog - syslog: enabled: yes # reported identity to syslog. If ommited the program name (usually # suricata) will be used. #identity: "suricata" facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug # a line based information for dropped packets in IPS mode - drop: enabled: no filename: drop.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # output module to store extracted files to disk # # The files are stored to the log-dir in a format "file.<id>" where <id> is # an incrementing number starting at 1. For each file "file.<id>" a meta # file "file.<id>.meta" is created. # # File extraction depends on a lot of things to be fully done: # - stream reassembly depth. For optimal results, set this to 0 (unlimited) # - http request / response body sizes. Again set to 0 for optimal results. # - rules that contain the "filestore" keyword. - file-store: enabled: no # set to yes to enable log-dir: files # directory to store the files force-magic: no # force logging magic on all stored files force-md5: no # force logging of md5 checksums #waldo: file.waldo # waldo file to store the file_id across runs # output module to log files tracked in a easily parsable json format - file-log: enabled: no filename: files-json.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' force-magic: no # force logging magic on all logged files force-md5: no # force logging of md5 checksums # Magic file. The extension .mgc is added to the value here. #magic-file: /usr/share/file/magic magic-file: /usr/share/file/magic # When running in NFQ inline mode, it is possible to use a simulated # non-terminal NFQUEUE verdict. # This permit to do send all needed packet to suricata via this a rule: # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE # And below, you can have your standard filtering ruleset. To activate # this mode, you need to set mode to 'repeat' # If you want packet to be sent to another queue after an ACCEPT decision # set mode to 'route' and set next-queue value. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel # accept the packet if suricata is not able to keep pace. nfq: # mode: accept # repeat-mark: 1 # repeat-mask: 1 # route-queue: 2 # fail-open: yes # af-packet support # Set threads to > 1 to use PACKET_FANOUT support af-packet: - interface: eth0 # Number of receive threads (>1 will enable experimental flow pinned # runmode) threads: 1 # Default clusterid. AF_PACKET will load balance packets based on flow. # All threads/processes that will participate need to have the same # clusterid. cluster-id: 99 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. # This is only supported for Linux kernel > 3.1 # possible value are: # * cluster_round_robin: round robin load balancing # * cluster_flow: all packets of a given flow are send to the same socket # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket cluster-type: cluster_flow # In some fragmentation case, the hash can not be computed. If "defrag" is set # to yes, the kernel will do the needed defragmentation before sending the packets. defrag: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes use-mmap: yes # Ring size will be computed with respect to max_pending_packets and number # of threads. You can set manually the ring size in number of packets by setting # the following value. If you are using flow cluster-type and have really network # intensive single-flow you could want to set the ring-size independantly of the number # of threads: #ring-size: 2048 # On busy system, this could help to set it to yes to recover from a packet drop # phase. This will result in some packets (at max a ring flush) being non treated. #use-emergency-flush: yes # recv buffer size, increase value could improve performance # buffer-size: 32768 # Set to yes to disable promiscuous mode # disable-promisc: no # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - kernel: use indication sent by kernel for each packet (default) # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: kernel # BPF filter to apply to this interface. The pcap filter syntax apply here. #bpf-filter: port 80 or udp # You can use the following variables to activate AF_PACKET tap od IPS mode. # If copy-mode is set to ips or tap, the traffic coming to the current # interface will be copied to the copy-iface interface. If 'tap' is set, the # copy is complete. If 'ips' is set, the packet matching a 'drop' action # will not be copied. #copy-mode: ips #copy-iface: eth1 - interface: eth1 threads: 1 cluster-id: 98 cluster-type: cluster_flow defrag: yes # buffer-size: 32768 # disable-promisc: no # You can specify a threshold config file by setting "threshold-file" # to the path of the threshold config file: # threshold-file: /etc/suricata/threshold.config # The detection engine builds internal groups of signatures. The engine # allow us to specify the profile to use for them, to manage memory on an # efficient way keeping a good performance. For the profile keyword you # can use the words "low", "medium", "high" or "custom". If you use custom # make sure to define the values at "- custom-values" as your convenience. # Usually you would prefer medium/high/low. # # "sgh mpm-context", indicates how the staging should allot mpm contexts for # the signature groups. "single" indicates the use of a single context for # all the signature group heads. "full" indicates a mpm-context for each # group head. "auto" lets the engine decide the distribution of contexts # based on the information the engine gathers on the patterns from each # group head. # # The option inspection-recursion-limit is used to limit the recursive calls # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect-engine: - profile: medium - custom-values: toclient-src-groups: 2 toclient-dst-groups: 2 toclient-sp-groups: 2 toclient-dp-groups: 3 toserver-src-groups: 2 toserver-dst-groups: 4 toserver-sp-groups: 2 toserver-dp-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 # When rule-reload is enabled, sending a USR2 signal to the Suricata process # will trigger a live rule reload. Experimental feature, use with care. #- rule-reload: true # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #- delayed-detect: yes # Suricata is multi-threaded. Here the threading can be influenced. threading: # On some cpu's/architectures it is beneficial to tie individual threads # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, # and each extra CPU/core has one "detect" thread. # # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. # set-cpu-affinity: no # Tune cpu affinity of suricata threads. Each family of threads can be bound # on specific CPUs. cpu-affinity: - management-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - receive-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - decode-cpu-set: cpu: [ 0, 1 ] mode: "balanced" - stream-cpu-set: cpu: [ "0-1" ] - detect-cpu-set: cpu: [ "all" ] mode: "exclusive" # run detect threads in these cpus # Use explicitely 3 threads and don't compute number by using # detect-thread-ratio variable: # threads: 3 prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - verdict-cpu-set: cpu: [ 0 ] prio: default: "high" - reject-cpu-set: cpu: [ 0 ] prio: default: "low" - output-cpu-set: cpu: [ "all" ] prio: default: "medium" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this # will result in 4 detect threads. If values below 1 are used, less threads # are created. So on a dual core CPU a setting of 0.5 results in 1 detect # thread being created. Regardless of the setting at a minimum 1 detect # thread will always be created. # detect-thread-ratio: 1.5 # Cuda configuration. cuda: # The "mpm" profile. On not specifying any of these parameters, the engine's # internal default values are used, which are same as the ones specified here. - mpm: # Threshold limit for no of packets buffered to the GPU. Once we hit this # limit, we pass the buffer to the gpu. packet-buffer-limit: 2400 # The maximum length for a packet that we would buffer to the gpu. # Anything over this is MPM'ed on the CPU. All entries > 0 are valid. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. packet-size-limit: 1500 # No of packet buffers we initialize. All entries > 0 are valid. packet-buffers: 10 # The timeout limit for batching of packets in secs. If we don't fill the # buffer within this timeout limit, we pass the currently filled buffer to the gpu. # All entries > 0 are valid. batching-timeout: 1 # Specifies whether to use page-locked memory whereever possible. Accepted values # are "enabled" and "disabled". page-locked: enabled # The device to use for the mpm. Currently we don't support load balancing # on multiple gpus. In case you have multiple devices on your system, you # can specify the device to use, using this conf. By default we hold 0, to # specify the first device cuda sees. To find out device-id associated with # the card(s) on the system run "suricata --list-cuda-cards". device-id: 0 # No of Cuda streams used for asynchronous processing. All values > 0 are valid. # For this option you need a device with Compute Capability > 1.0 and # page-locked enabled to have any effect. cuda-streams: 2 # Select the multi pattern algorithm you want to run for scan/search the # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, # ac and ac-gfbs. # # The mpm you choose also decides the distribution of mpm contexts for # signature groups, specified by the conf - "detect-engine.sgh-mpm-context". # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" # to be set to "single", because of ac's memory requirements, unless the # ruleset is small enough to fit in one's memory, in which case one can # use "full" with "ac". Rest of the mpms can be run in "full" mode. # # There is also a CUDA pattern matcher (only available if Suricata was # compiled with --enable-cuda: b2g_cuda. Make sure to update your # max-pending-packets setting above as well if you use b2g_cuda. mpm-algo: ac # The memory settings for hash size of these algorithms can vary from lowest # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max # (65536). The bloomfilter sizes of these algorithms can vary from low (512) - # medium (1024) - high (2048). # # For B2g/B3g algorithms, there is a support for two different scan/search # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & # B3gSearchBNDMq. # # For B2g the different scan/search algorithms and, hash and bloom # filter size settings. For B3g the different scan/search algorithms and, hash # and bloom filter size settings. For wumanber the hash and bloom filter size # settings. pattern-matcher: - b2gc: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2gm: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2g: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b3g: search-algo: B3gSearchBNDMq hash-size: low bf-size: medium - wumanber: hash-size: low bf-size: medium # Defrag settings: defrag: trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 # Flow settings: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. # The hash-size determine the size of the hash used to identify flows inside # the engine, and by default the value is 65536. # At the startup, the engine can preallocate a number of flows, to get a better # performance. The number of flows preallocated is 10000 by default. # emergency-recovery is the percentage of flows that the engine need to # prune before unsetting the emergency state. The emergency state is activated # when the memcap limit is reached, allowing to create new flows, but # prunning them with the emergency timeouts (they are defined below). # If the memcap is reached, the engine will try to prune flows # with the default timeouts. If it doens't find a flow to prune, it will set # the emergency bit and it will try again with more agressive timeouts. # If that doesn't work, then it will try to kill the last time seen flows # not in use. # The memcap can be specified in kb, mb, gb. Just a number indicates it's # in bytes. flow: memcap: 32mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each # protocol. The value of "new" determine the seconds to wait after a hanshake or # stream startup before the engine free the data of that flow it doesn't # change the state to established (usually if we don't receive more packets # of that flow). The value of "established" is the amount of # seconds that the engine will wait to free the flow if it spend that amount # without receiving new packets or closing the connection. "closed" is the # amount of time to wait after a flow is closed (usually zero). # # There's an emergency mode that will become active under attack circumstances, # making the engine to check flow status faster. This configuration variables # use the prefix "emergency-" and work similar as the normal ones. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and # icmp. flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 # Stream engine settings. Here the TCP stream tracking and reaasembly # engine is configured. # # stream: # memcap: 32mb # Can be specified in kb, mb, gb. Just a # # number indicates it's in bytes. # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as # # "yes", then packet with invalid csum will not # # be processed by the engine stream/app layer. # # Warning: locally generated trafic can be # # generated without checksum due to hardware offload # # of checksum. You can control the handling of checksum # # on a per-interface basis via the 'checksum-checks' # # option # max-sessions: 262144 # 256k concurrent sessions # prealloc-sessions: 32768 # 32k sessions prealloc'd # midstream: false # don't allow midstream session pickups # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # # reassembly: # memcap: 64mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # depth: 1mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. stream: memcap: 32mb checksum-validation: yes # reject wrong csums inline: no # no inline mode reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 # Host table: # # Host table is used by tagging and per host thresholding subsystems. # host: hash-size: 4096 prealloc: 1000 memcap: 16777216 # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. logging: # The default log level, can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: info # The default output format. Optional parameter, should default to # something reasonable if not provided. Can be overriden in an # output section. You can leave this out to get the default. # # This value is overriden by the SC_LOG_FORMAT env var. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # # This value is overriden by the SC_LOG_OP_FILTER env var. default-output-filter: # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: yes - file: enabled: yes filename: /var/log/suricata.log - syslog: enabled: yes facility: local5 format: "[%i] <%d> -- " # PF_RING configuration. for use with native PF_RING support # for more info see http://www.ntop.org/PF_RING.html pfring: - interface: eth0 # Number of receive threads (>1 will enable experimental flow pinned # runmode) threads: 1 # Default clusterid. PF_RING will load balance packets based on flow. # All threads/processes that will participate need to have the same # clusterid. cluster-id: 99 # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. # This is only supported in versions of PF_RING > 4.1.1. cluster-type: cluster_round_robin # bpf filter for this interface #bpf-filter: tcp # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - rxonly: only compute checksum for packets received by network card. # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # Second interface #- interface: eth1 # threads: 3 # cluster-id: 93 # cluster-type: cluster_flow pcap: - interface: eth0 #buffer-size: 32768 #bpf-filter: "tcp and port 25" # Choose checksum verification mode for the interface. At the moment # of the capture, some packets may be with an invalid checksum due to # offloading to the network card of the checksum computation. # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # For FreeBSD ipfw(8) divert(4) support. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" # in /etc/loader.conf or kldload'ing the appropriate kernel modules. # Additionally, you need to have an ipfw rule for the engine to see # the packets from ipfw. For Example: # # ipfw add 100 divert 8000 ip from any to any # # The 8000 above should be the same number you passed on the command # line, i.e. -d 8000 # ipfw: # Reinject packets at the specified ipfw rule number. This config # option is the ipfw rule number AT WHICH rule processing continues # in the ipfw processing system after the engine has finished # inspecting the packet for acceptance. If no rule number is specified, # accepted packets are reinjected at the divert rule which they entered # and IPFW rule processing continues. No check is done to verify # this will rule makes sense so care must be taken to avoid loops in ipfw. # ## The following example tells the engine to reinject packets # back into the ipfw firewall AT rule number 5500: # # ipfw-reinjection-rule-number: 5500 # Set the default rule path here to search for the files. # if not set, it will look at the current working dir default-rule-path: /etc/suricata/rules/ rule-files: #Malware/trojan oriented rules - emerging-trojan.rules - emerging-malware.rules - emerging-mobile_malware.rules - emerging-worm.rules - emerging-user_agents.rules - emerging-current_events.rules #important but relatively low load rules you'll likely want to keep on - emerging-ftp.rules - emerging-pop3.rules - emerging-rpc.rules - emerging-attack_response.rules # - emerging-icmp.rules - emerging-scan.rules - emerging-voip.rules - emerging-imap.rules - emerging-web_server.rules - emerging-smtp.rules - emerging-dns.rules - emerging-misc.rules - emerging-snmp.rules - emerging-sql.rules - emerging-dos.rules - emerging-telnet.rules - emerging-exploit.rules - emerging-tftp.rules #useful but often high load rules. Look here for performance tuning - emerging-web_client.rules - emerging-netbios.rules #things you'll want to look through and consider policy needs - emerging-policy.rules # - emerging-games.rules - emerging-p2p.rules - emerging-chat.rules #informational, not recommended for high speed nets # - emerging-icmp_info.rules # - emerging-info.rules # - emerging-shellcode.rules # - emerging-inappropriate.rules # - emerging-web_specific_apps.rules # - emerging-activex.rules #ip based rules - botcc.rules # - botcc.portgrouped.rules - ciarmy.rules - compromised.rules - drop.rules - dshield.rules - tor.rules #only use the scada_special if you have the scada extensions compiled int # - emerging-scada_special.rules # - emerging-scada.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config # Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. # These would be retrieved during the Signature address parsing stage. address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" # Holds the port group vars that would be passed in a Signature. # These would be retrieved during the Signature port parsing stage. port-groups: HTTP_PORTS: "80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 # Set the order of alerts bassed on actions # The default order is pass, drop, reject, alert action-order: - pass - drop - reject - alert # Host specific policies for defragmentation and TCP stream # reassembly. The host OS lookup is done using a radix tree, just # like a routing table so the most specific entry matches. host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir # given by the parameter "default-log-dir", with engine reporting # subsection below printing reports in its own report file. engine-analysis: # enables printing reports for fast-pattern for every rule. rules-fast-pattern: yes # enables printing reports for each rule rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 ########################################################################### # Configure libhtp. # # # default-config: Used when no server-config matches # personality: List of personalities used by default # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. # double-decode-path: Double decode path section of the URI # double-decode-query: Double decode query section of the URI # # server-config: List of server configurations to use if address matches # address: List of ip addresses or networks for this block # personalitiy: List of personalities used by this block # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. # double-decode-path: Double decode path section of the URI # double-decode-query: Double decode query section of the URI # # Currently Available Personalities: # Minimal # Generic # IDS (default) # IIS_4_0 # IIS_5_0 # IIS_5_1 # IIS_6_0 # IIS_7_0 # IIS_7_5 # Apache # Apache_2_2 ########################################################################### libhtp: default-config: personality: IDS # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. request-body-limit: 0 response-body-limit: 0 double-decode-path: no double-decode-query: no ##### Set proper personality for your net ####### # server-config: # # - apache: # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] # personality: Apache_2_2 # # Can be specified in kb, mb, gb. Just a number indicates # # it's in bytes. # request-body-limit: 0 # response-body-limit: 0 # double-decode-path: no # double-decode-query: no # # - iis7: # address: # - 192.168.0.0/24 # - 192.168.10.0/24 # personality: IIS_7_0 # # Can be specified in kb, mb, gb. Just a number indicates # # it's in bytes. # request-body-limit: 0 # response-body-limit: 0 # double-decode-path: no # double-decode-query: no # Profiling settings. Only effective if Suricata has been built with the # the --enable-profiling configure flag. # profiling: # rule profiling rules: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: rule_perf.log append: yes # Sort options: ticks, avgticks, checks, matches, maxticks sort: avgticks # Limit the number of items printed at exit. #limit: 100 # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: packet_stats.log append: yes # per packet csv output csv: # Output can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.csv # profiling of locking. Only available when Suricata was built with # --enable-profiling-locks. locks: enabled: no filename: lock_stats.log append: yes # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On # Linux, the actual core dump size may be a few pages larger than max-dump. # Setting max-dump to 0 disables core dumping. # Setting max-dump to 'unlimited' will give the full core dump file. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size # to be 'unlimited'. coredump: max-dump: unlimited
25、SELKS里的suricata的threshold.config(非常重要)
这根,默认为空。
26、SELKS里的suricata的tls-events.rules(非常重要)
# TLS event rules # # SID's fall in the 2230000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation # # These sigs fire at most once per connection. # # A flowint tls.anomaly.count is incremented for each match. By default it will be 0. # alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; flow:established; app-layer-event:tls.invalid_tls_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230015; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; flow:established; app-layer-event:tls.invalid_record_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS certificate missing element"; flow:established; app-layer-event:tls.certificate_missing_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230005; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; flow:established; app-layer-event:tls.certificate_unknown_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230006; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; flow:established; app-layer-event:tls.certificate_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; flow:established; app-layer-event:tls.certificate_invalid_string; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; flow:established; app-layer-event:tls.error_message_encountered; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:established; app-layer-event:tls.invalid_ssl_record; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230010; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS heartbeat encountered"; flow:established; app-layer-event:tls.heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230011; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.overflow_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230012; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;) alert tls any any -> any any (msg:"SURICATA TLS too many records in packet"; flow:established; app-layer-event:tls.too_many_records_in_packet; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230020; rev:1;) #next sid is 2230021
27、SELKS里的suricata的unicode.map(非常重要)
# Windows Version: 5.00.2195 # OEM codepage: 437 # ACP codepage: 1252 # INSTALLED CODEPAGES 10000 (MAC - Roman) 10079 (MAC - Icelandic) 1250 (ANSI - Central Europe) 00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1251 (ANSI - Cyrillic) 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1252 (ANSI - Latin I) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1253 (ANSI - Greek) 00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1254 (ANSI - Turkish) 00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1255 (ANSI - Hebrew) 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1256 (ANSI - Arabic) 00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1257 (ANSI - Baltic) ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1258 (ANSI/OEM - Viet Nam) ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e #INVALID CODEPAGE: 1361 20127 (US-ASCII) 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20261 (T.61) f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f 20866 (Russian - KOI8) 00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 28591 (ISO 8859-1 Latin I) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 28592 (ISO 8859-2 Central Europe) 00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e #INVALID CODEPAGE: 28595 #INVALID CODEPAGE: 28597 28605 (ISO 8859-15 Latin 9) 00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 37 (IBM EBCDIC - U.S./Canada) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 437 (OEM - United States) 00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 500 (IBM EBCDIC - International) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 850 (OEM - Multilingual Latin I) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 860 (OEM - Portuguese) 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 861 (OEM - Icelandic) 00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 863 (OEM - Canadian French) 00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 865 (OEM - Nordic) 00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 874 (ANSI/OEM - Thai) 00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 932 (ANSI/OEM - Japanese Shift-JIS) 00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 936 (ANSI/OEM - Simplified Chinese GBK) 00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 949 (ANSI/OEM - Korean) 00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 950 (ANSI/OEM - Traditional Chinese Big5) 00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 65000 (UTF-7) 65001 (UTF-8)
同时,大家,可以去配置文件里看
root@SELKS:/etc/suricata/rules# pwd /etc/suricata/rules root@SELKS:/etc/suricata/rules# cat test-baidu.rules alert heep any any -> any any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com;) root@SELKS:/etc/suricata/rules#
然后 ,再启动suricata
注意,SELKS里的suricata启动脚本是在
有兴趣的朋友们,可以跟我这样粘贴出来,研究研究
root@SELKS:/etc/init.d# cat suricata #!/bin/sh -e # ### BEGIN INIT INFO # Provides: suricata # Required-Start: $time $network $local_fs $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Next Generation IDS/IPS # Description: Intrusion detection system that will # capture traffic from the network cards and will # match against a set of known attacks. ### END INIT INFO . /lib/lsb/init-functions # Source function library. if test -f /etc/default/suricata; then . /etc/default/suricata else echo "/etc/default/suricata is missing... bailing out!" fi # We'll add up all the options above and use them NAME=suricata DAEMON=/usr/bin/$NAME # Use this if you want the user to explicitly set 'RUN' in # /etc/default/ if [ "x$RUN" != "xyes" ] ; then log_failure_msg "$NAME disabled, please adjust the configuration to your needs " log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." exit 0 fi check_root() { if [ "$(id -u)" != "0" ]; then log_failure_msg "You must be root to start, stop or restart $NAME." exit 4 fi } check_nfqueue() { if [ ! -e /proc/net/netfilter/nf_queue ]; then log_failure_msg "NFQUEUE support not found !" log_failure_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel" exit 5 fi } check_run_dir() { if [ ! -d /var/run/suricata ]; then mkdir /var/run/suricata chmod 0755 /var/run/suricata fi } check_root case "$LISTENMODE" in nfqueue) IDMODE="IPS (nfqueue)" LISTEN_OPTIONS=" $NFQUEUE" check_nfqueue ;; pcap) IDMODE="IDS (pcap)" LISTEN_OPTIONS=" -i $IFACE" ;; af-packet) IDMODE="IDS (af-packet)" LISTEN_OPTIONS=" --af-packet" ;; *) echo "Unsupported listen mode $LISTENMODE, aborting" exit 1 ;; esac SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D -v" # See how we were called. case "$1" in start) if [ -f $PIDFILE ]; then PID1=`cat $PIDFILE` if kill -0 "$PID1" 2>/dev/null; then echo "$NAME is already running with PID $PID1" exit 0 fi fi check_run_dir if [ -z "$RUN_AS_USER" ]; then USER_SWITCH= else USER_SWITCH=--user=${RUN_AS_USER} chown ${RUN_AS_USER}:${RUN_AS_USER} /var/run/suricata fi echo -n "Starting suricata in $IDMODE mode..." if [ -f /usr/lib/libtcmalloc_minimal.so.0 ] && [ "x$TCMALLOC" = "xYES" ]; then export LD_PRELOAD="/usr/lib/libtcmalloc_minimal.so.0" #echo "Using googles tcmalloc for minor performance boost!?!" fi $DAEMON $SURICATA_OPTIONS $USER_SWITCH > /var/log/suricata/suricata-start.log 2>&1 & echo " done." ;; stop) echo -n "Stopping suricata: " if [ -f $PIDFILE ]; then PID2=`cat $PIDFILE` else echo " No PID file found; not running?" exit 0; fi start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON if [ -n "$PID2" ]; then kill "$PID2" ret=$? sleep 2 if kill -0 "$PID2" 2>/dev/null; then ret=$? echo -n "Waiting . " cnt=0 while kill -0 "$PID2" 2>/dev/null; do ret=$? cnt=`expr "$cnt" + 1` if [ "$cnt" -gt 10 ]; then kill -9 "$PID2" break fi sleep 2 echo -n ". " done fi fi if [ -e $PIDFILE ]; then rm $PIDFILE > /dev/null 2>&1 fi echo " done." ;; status) # Check if running... if [ -s $PIDFILE ]; then PID3=`cat $PIDFILE` if kill -0 "$PID3" 2>/dev/null; then echo "$NAME is running with PID $PID3" exit 0 else echo "PID file $PIDFILE exists, but process not running!" fi else echo "$NAME not running!" fi ;; restart) $0 stop $0 start ;; force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 root@SELKS:/etc/init.d#
然而,我们需要如下来启动
root@SELKS:/etc/init.d# sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 -s /etc/suricata/rules/test-baidu.rules [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:241) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'classification-file' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'detect' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'stats' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'logging' redefined. [7966] 17/8/2017 -- 16:16:02 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'af-packet' redefined. [7966] 17/8/2017 -- 16:16:02 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev 5e3d8b1)
或者这么来写自定义规则(为了遵循官网的习惯,命名为local.rules)
见官网
https://suricata.readthedocs.io/en/latest/rule-management/adding-your-own-rules.html
比如
alert http any any -> any any (msg:"Do not read gossip during work"; content:"Scarlett"; nocase; classtype:policy-violation; sid:1; rev:1;)
然后,还要将自定义规则文件,加载到配置文件里
然后,执行
root@SELKS:/etc/suricata/rules# sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 -s /etc/suricata/rules/local.rules [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:241) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'classification-file' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'detect' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'stats' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'logging' redefined. [8923] 17/8/2017 -- 17:14:22 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'af-packet' redefined. [8923] 17/8/2017 -- 17:14:22 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev 5e3d8b1)
或者这么来写自定义规则(模拟产生更多的数据)
root@SELKS:/etc/suricata/rules# cat local.rules #alert http any any -> any any (msg:"any Packet detected";sid:1000001;) alert icmp any any -> any any (msg:"any Packet detected";sid:1000002;) alert tcp any any -> any any (msg:"any Packet detected";sid:1000003;) alert udp any any -> any any (msg:"any Packet detected";sid:1000004;)
然后,执行
root@SELKS:/etc/suricata/rules# sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 -s /etc/suricata/rules/local.rules [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:241) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks4-addin.yaml. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-rule-path' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'classification-file' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'reference-config-file' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'detect' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'default-log-dir' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'stats' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'logging' redefined. [1285] 17/8/2017 -- 21:41:59 - (conf-yaml-loader.c:265) <Info> (ConfYamlParse) -- Configuration node 'af-packet' redefined. [1285] 17/8/2017 -- 21:41:59 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev 5e3d8b1) [1285] 17/8/2017 -- 21:43:34 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled [1285] 17/8/2017 -- 21:43:34 - (output-tx.c:76) <Notice> (OutputRegisterTxLogger) -- JsonDNP3Log logger not enabled: protocol dnp3 is disabled [1285] 17/8/2017 -- 21:43:34 - (tm-threads.c:2178) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
