####################################################################
#                Sample SEC ruleset for Snort IDS
####################################################################

# ------------------------------------------------------------------
# Handle portscans
# ------------------------------------------------------------------

# For every completed portscan, add an entry to the PORTSCAN_REPORT;
# also generate a meta-event ACTIVITY_FROM for the IP 

type=Single
ptype=RegExp
pattern=End of portscan from (([\d\.]+).*)
desc=Portscan from $1
action=add PORTSCAN_REPORT %t: %s; event ACTIVITY_FROM_$2: %s


# ------------------------------------------------------------------
# Recognize snort alert message and generate corresponding SEC event
# ------------------------------------------------------------------

# recognize snort alert message; also generate 
# a meta-event ACTIVITY_FROM for the IP

type=Single
ptype=RegExp
pattern=snort(?:\[\d+\])?: \[[0-9:]+\] (.+) \[(.+)\] \[.*Priority: (\d+)\]: \
\S+ ([\d\.]+):?\d* -> ([\d\.]+):?\d*
desc=PRIORITY $3 INCIDENT FROM $4 TO $5: $1 [$2]
action=event %s; event ACTIVITY_FROM_$4: $1


# ------------------------------------------------------------------
# Handle priority 1 incidents
# ------------------------------------------------------------------

# Detect the beginning of priority 1 attack from a certain source IP,
# and send a warning e-mail message that a new attack has begun;
# also create a context for storing a detailed information about the attack

type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM (\S+) TO \S+: .+
context=!ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 attack started from $1
action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s' \
       mail -s 'SNORT: priority 1 attack from $1 (alert)' root@localhost


# For every priority 1 incident, add an entry to the context by its IP;
# if the IP has been quiet for 5 minutes, report the whole attack

type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM (\S+) TO (\S+): (.+)
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 incident from $1 to $2: $3
action=add ATTACK_FROM_$1 %t: %s; \ 
       set ATTACK_FROM_$1 300 ( report ATTACK_FROM_$1 \
       mail -s 'SNORT: priority 1 attack from $1 (report)' root@localhost )


# ------------------------------------------------------------------
# Handle incidents by thresholding
# ------------------------------------------------------------------

# Count how many _certain type_ of incidents are coming from one source
# if the threshold has been crossed, reset the counting operation started
# by the next rule, in order to avoid duplicate alerts for the same IP

type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY (\d+) INCIDENT FROM (\S+) TO \S+: (.+)
continue=TakeNext
desc=Snort has seen >= 30 priority $1 incidents from $2: $3
action=add ALERT_REPORT %t: %s; \
       reset +1 Snort has seen >= 150 incidents from $2; \
       create TURNOFF_$2 3600
thresh=30
window=3600


# Count how many incidents come from one source

type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY \d+ INCIDENT FROM (\S+) TO \S+: .+
context=!TURNOFF_$1
desc=Snort has seen >= 150 incidents from $1
action=add ALERT_REPORT %t: %s
thresh=150
window=7200


# ------------------------------------------------------------------
# Report IPs that have been active for some time
# ------------------------------------------------------------------

# Set up activity contexts for the IP; if the IP has been active for 2 hours, 
# and there have been no gaps longer than 30 minutes, report its activities

type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_(\S+):
context=!ACTIVITY_LIST_FOR_$1
continue=TakeNext
desc=Create activity contexts for $1
action=create ACTIVITY_LIST_FOR_$1_LIFETIME; \
       create ACTIVITY_LIST_FOR_$1 7200 ( report ACTIVITY_LIST_FOR_$1 \
       mail -s 'SNORT: $1 has been active for 2 hours' root@localhost; \
       delete ACTIVITY_LIST_FOR_$1_LIFETIME )


# Add the activity event to the context of a given IP, and extend
# the lifetime of activity contexts for 30 minutes for the IP 

type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_(\S+): (.*)
context=ACTIVITY_LIST_FOR_$1
desc=Activity from $1: $2
action=add ACTIVITY_LIST_FOR_$1 %t: %s; \
       set ACTIVITY_LIST_FOR_$1_LIFETIME 1800 ( delete ACTIVITY_LIST_FOR_$1 )


# ------------------------------------------------------------------
# Send reports every day at 9:00 am
# ------------------------------------------------------------------

# send daily report about regular alerts

type=Calendar
time=0 9 * * *
desc=Sending alert report...
action=report ALERT_REPORT \
       mail -s 'SNORT: daily alert report' root@localhost; \
       delete ALERT_REPORT


# send daily report about portscans

type=Calendar
time=0 9 * * *
desc=Sending portscan report...
action=report PORTSCAN_REPORT \
       mail -s 'SNORT: daily portscan report' root@localhost; \
       delete PORTSCAN_REPORT