Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    IPV6 Custon Rules Snort and HE tunnel broker

    Scheduled Pinned Locked Moved IPv6
    snortipv6he.net
    6 Posts 2 Posters 482 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ Offline
      JonathanLee
      last edited by

      Hello fellow Netgate community members can you please help, does anyone else do custom wan rules on snort or any other ips like suricata??

      Please let me know if you would recommend anything else here..

      # ============================================
# WAN INTERFACE SECURITY RULES - PRODUCTION
# ============================================
# Network Configuration:
# - IPv4 WAN: (your IPv4 WAN IP goes here)/32 (static)
# - IPv4 Gateway: (your IPv4 WAN gateway goes here)
# - IPv6 Tunnel Link: (your IPv6 tunnel link goes here)
#   ├─ HE Gateway: (your IPv6 gateway goes here)
#   └─ pfSense: (your IPv6 pfsense interface has goes here)
# - IPv6 Routed Prefix: (your IPv6 routed prefix goes here)
#   ├─ Secure LAN: (IPv6 you use for secure lan) (Gateway: ::a::1)
#   └─ Guest WiFi: (IPv6 you use for guest lan) (Gateway: ::b::1)
# - VPN Access: (IPv4 you allow access to openvpn on) only (network used)
# - Squid Proxy: 192.168.1.1 (IPv4), (ipv6 address assigned to private interface facing side) (IPv6)
# ============================================

# === HURRICANE ELECTRIC IPv6 TUNNEL PROTECTION ===

# HE Tunnel Protocol (IP protocol 41 - 6in4)
# Alert on spoofed tunnel packets not from HE
alert ip !HE TUNNEL GIF ADDRESS IPV4 any -> (your IPv4 WAN IP goes here) any (msg:"CRITICAL: Spoofed IPv6 Tunnel Packet (Not from HE)"; ip_proto:41; classtype:protocol-command-decode; priority:1; sid:1000300; rev:1;)

# IPv6 Tunnel Disruption Attempt (suspicious ICMP patterns)
alert icmp any any -> HE TUNNEL GIF ADDRESS IPV4 any (msg:"Suspicious ICMP to HE Tunnel Endpoint"; itype:3; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000301; rev:1;)

alert icmp any any -> HE TUNNEL GIF ADDRESS IPV4 any (msg:"ICMP Redirect to HE Tunnel Endpoint"; itype:5; classtype:attempted-dos; sid:1000302; rev:1;)

# Tunnel Fragmentation Attack
alert ip any any -> (your IPv4 WAN IP goes here) any (msg:"IPv6 Tunnel Fragmentation Attack"; ip_proto:41; fragbits:M; threshold:type threshold, track by_src, count 20, seconds 10; classtype:attempted-dos; sid:1000303; rev:1;)


# === IPv6 SPECIFIC THREATS ===

# ICMPv6 Router Advertisement Spoofing (MITM attack) - Secure LAN
alert icmp any any -> (IPv6 you use for secure lan) any (msg:"CRITICAL: Rogue IPv6 Router Advertisement (Secure LAN)"; itype:134; classtype:attempted-recon; priority:1; sid:1000310; rev:1;)

# ICMPv6 Router Advertisement Spoofing - Guest WiFi
alert icmp any any -> (IPv6 you use for guest lan) any (msg:"Rogue IPv6 Router Advertisement (Guest WiFi)"; itype:134; classtype:attempted-recon; priority:1; sid:1000311; rev:1;)

# ICMPv6 Neighbor Advertisement Spoofing (IPv6 ARP poisoning) - Secure LAN
alert icmp any any -> (IPv6 you use for secure lan) any (msg:"IPv6 Neighbor Advertisement Spoofing (Secure LAN)"; itype:136; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000312; rev:1;)

# ICMPv6 Neighbor Advertisement Spoofing - Guest WiFi
alert icmp any any -> (IPv6 you use for guest lan) any (msg:"IPv6 Neighbor Advertisement Spoofing (Guest WiFi)"; itype:136; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000313; rev:1;)

# DHCPv6 Spoofing (rogue DHCPv6 server)
alert udp any 547 -> any 546 (msg:"Rogue DHCPv6 Server Detected"; classtype:attempted-recon; sid:1000314; rev:1;)

# IPv6 Hop-by-Hop Extension Header Abuse - Secure LAN
alert ip any any -> (IPv6 you use for secure lan) any (msg:"IPv6 Hop-by-Hop Extension Header Attack (Secure LAN)"; classtype:attempted-dos; sid:1000315; rev:1;)

# IPv6 Hop-by-Hop Extension Header Abuse - Guest WiFi
alert ip any any -> (IPv6 you use for guest lan) any (msg:"IPv6 Hop-by-Hop Extension Header Attack (Guest WiFi)"; classtype:attempted-dos; sid:1000316; rev:1;)

# IPv6 Fragment Reassembly DoS - Secure LAN
alert ip any any -> (IPv6 you use for secure lan) any (msg:"IPv6 Fragment Flood (Secure LAN)"; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000317; rev:1;)

# IPv6 Fragment Reassembly DoS - Guest WiFi
alert ip any any -> (IPv6 you use for guest lan) any (msg:"IPv6 Fragment Flood (Guest WiFi)"; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000318; rev:1;)

# Teredo Tunneling (IPv6 over IPv4 UDP - potential firewall bypass)
alert udp any any -> any 3544 (msg:"Teredo IPv6 Tunnel Detected - Possible Bypass"; classtype:policy-violation; sid:1000319; rev:1;)

# 6to4 Tunneling Detection
alert ip any any -> any any (msg:"6to4 IPv6 Tunnel Detected"; ip_proto:41; content:"|20 02|"; depth:2; classtype:policy-violation; sid:1000320; rev:1;)


# === GUEST WiFi IPv6 ISOLATION ENFORCEMENT ===

# Guest trying to access Secure LAN via IPv6 (CRITICAL - firewall breach)
alert ip (IPv6 you use for guest lan) any -> (IPv6 you use for secure lan) any (msg:"CRITICAL: Guest WiFi Accessing Secure LAN via IPv6"; classtype:policy-violation; priority:1; sid:1000330; rev:1;)

# Guest trying to access tunnel link subnet
alert ip (IPv6 you use for guest lan) any -> (your IPv6 tunnel link goes here) any (msg:"CRITICAL: Guest Accessing Tunnel Subnet"; classtype:policy-violation; priority:1; sid:1000331; rev:1;)


# === VPN SECURITY (OpenVPN UDP 1192) ===

# VPN Connection from NON-network used Source
alert udp !(IPv4 you allow access to openvpn on) any -> (your IPv4 WAN IP goes here) 1192 (msg:"CRITICAL: VPN Connection from Non-network used Source"; classtype:policy-violation; priority:1; sid:1000010; rev:1;)

# VPN Brute Force from network used
alert udp (IPv4 you allow access to openvpn on) any -> (your IPv4 WAN IP goes here) 1192 (msg:"OpenVPN Brute Force from network used"; threshold:type both, track by_src, count 10, seconds 60; classtype:attempted-admin; sid:1000011; rev:1;)

# VPN Connection Flood (DoS)
alert udp any any -> (your IPv4 WAN IP goes here) 1192 (msg:"OpenVPN Connection Flood"; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000012; rev:1;)

# OpenVPN Malformed Packet
alert udp any any -> (your IPv4 WAN IP goes here) 1192 (msg:"Malformed OpenVPN Packet"; dsize:<14; classtype:protocol-command-decode; sid:1000013; rev:1;)


# === INBOUND PORT SCAN DETECTION (IPv4) ===

# Standard Port Scan
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Port Scan Against WAN IPv4"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000050; rev:1;)

# Aggressive Scan
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Aggressive Port Scan Detected"; flags:S; threshold:type threshold, track by_src, count 50, seconds 30; classtype:attempted-recon; sid:1000051; rev:1;)

# Nmap OS Detection
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Nmap OS Detection Scan"; flags:S; window:1024; threshold:type limit, track by_src, count 1, seconds 60; classtype:attempted-recon; sid:1000052; rev:1;)

# Christmas Tree Scan
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"TCP Christmas Tree Scan"; flags:FPU; classtype:attempted-recon; sid:1000053; rev:1;)

# NULL Scan
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"TCP NULL Scan"; flags:0; classtype:attempted-recon; sid:1000054; rev:1;)

# XMAS Scan (duplicate of Christmas Tree, but kept for clarity)
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"TCP XMAS Scan"; flags:FPU; classtype:attempted-recon; sid:1000055; rev:1;)


# === INBOUND PORT SCAN DETECTION (IPv6) ===

# IPv6 Port Scan - Secure LAN Gateway
alert tcp any any -> (ipv6 address assigned to private interface facing side) any (msg:"IPv6 Port Scan Against Secure LAN Gateway"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000056; rev:1;)

# IPv6 Port Scan - Guest Gateway
alert tcp any any -> (Guest ipv6) any (msg:"IPv6 Port Scan Against Guest Gateway"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000057; rev:1;)

# IPv6 Subnet Scan - Secure LAN
alert tcp any any -> (IPv6 you use for secure lan) any (msg:"IPv6 Subnet Scan (Secure LAN)"; flags:S; threshold:type threshold, track by_src, count 50, seconds 60; classtype:attempted-recon; sid:1000058; rev:1;)

# IPv6 Subnet Scan - Guest WiFi
alert tcp any any -> (IPv6 you use for guest lan) any (msg:"IPv6 Subnet Scan (Guest WiFi)"; flags:S; threshold:type threshold, track by_src, count 50, seconds 60; classtype:attempted-recon; sid:1000059; rev:1;)


# === DENIAL OF SERVICE ATTACKS ===

# SYN Flood (IPv4)
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"SYN Flood Attack (IPv4)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000070; rev:1;)

# SYN Flood (IPv6 Secure LAN)
alert tcp any any -> (IPv6 you use for secure lan) any (msg:"SYN Flood Attack (IPv6 Secure LAN)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000071; rev:1;)

# SYN Flood (IPv6 Guest)
alert tcp any any -> (IPv6 you use for guest lan) any (msg:"SYN Flood Attack (IPv6 Guest)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000072; rev:1;)

# ICMP Flood (IPv4)
alert icmp any any -> (your IPv4 WAN IP goes here) any (msg:"ICMP Flood Attack"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000073; rev:1;)

# ICMPv6 Flood (Secure LAN)
alert icmp any any -> (IPv6 you use for secure lan) any (msg:"ICMPv6 Flood (Secure LAN)"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000074; rev:1;)

# ICMPv6 Flood (Guest)
alert icmp any any -> (IPv6 you use for guest lan) any (msg:"ICMPv6 Flood (Guest)"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000075; rev:1;)

# UDP Flood (IPv4)
alert udp !(IPv4 you allow access to openvpn on) any -> (your IPv4 WAN IP goes here) any (msg:"UDP Flood Attack (IPv4) - External Only"; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; priority:2; sid:1000076; rev:2;)

# UDP Flood (IPv6 Secure)
alert udp any any -> (IPv6 you use for secure lan) any (msg:"UDP Flood (IPv6 Secure LAN)"; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000077; rev:1;)

# UDP Flood (IPv6 Guest)
alert udp any any -> (IPv6 you use for guest lan) any (msg:"UDP Flood (IPv6 Guest)"; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000078; rev:1;)

# IP Fragment Flood
alert ip any any -> (your IPv4 WAN IP goes here) any (msg:"IP Fragment Flood"; fragbits:M; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000079; rev:1;)

# Slowloris Attack
alert tcp any any -> (your IPv4 WAN IP goes here) 80 (msg:"Slowloris Attack Detected"; flow:to_server,established; threshold:type threshold, track by_src, count 50, seconds 300; classtype:attempted-dos; sid:1000080; rev:1;)


# === SSH PROTECTION ===

# SSH Brute Force (IPv4)
alert tcp any any -> (your IPv4 WAN IP goes here) 22 (msg:"SSH Brute Force (IPv4)"; flow:to_server,established; content:"SSH"; depth:4; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000020; rev:1;)

# SSH Brute Force (IPv6 Secure LAN)
alert tcp any any -> (ipv6 address assigned to private interface facing side) 22 (msg:"SSH Brute Force (IPv6 Secure LAN)"; flow:to_server,established; content:"SSH"; depth:4; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000021; rev:1;)

# SSH Version Scan
alert tcp any any -> (your IPv4 WAN IP goes here) 22 (msg:"SSH Version Scan"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 10, seconds 30; classtype:attempted-recon; sid:1000022; rev:1;)


# === SMB/NAS ATTACKS ===

# EternalBlue (IPv4)
alert tcp any any -> (your IPv4 WAN IP goes here) 445 (msg:"CRITICAL: EternalBlue SMB Exploit (IPv4)"; flow:to_server,established; content:"|ff|SMB"; depth:5; content:"|00 00 00|"; distance:9; within:3; classtype:attempted-admin; priority:1; sid:1000003; rev:1;)

# EternalBlue (IPv6 Secure LAN)
alert tcp any any -> (ipv6 address assigned to private interface facing side) 445 (msg:"CRITICAL: EternalBlue SMB Exploit (IPv6 Secure LAN)"; flow:to_server,established; content:"|ff|SMB"; depth:5; content:"|00 00 00|"; distance:9; within:3; classtype:attempted-admin; priority:1; sid:1000004; rev:1;)

# SMBGhost (IPv4)
alert tcp any any -> (your IPv4 WAN IP goes here) 445 (msg:"CRITICAL: SMBGhost Exploit (IPv4)"; flow:to_server,established; content:"|fe|SMB"; depth:5; content:"|11 03 02|"; distance:0; classtype:attempted-admin; priority:1; sid:1000005; rev:1;)

# SMBGhost (IPv6 Secure LAN)
alert tcp any any -> (ipv6 address assigned to private interface facing side) 445 (msg:"CRITICAL: SMBGhost Exploit (IPv6 Secure LAN)"; flow:to_server,established; content:"|fe|SMB"; depth:5; content:"|11 03 02|"; distance:0; classtype:attempted-admin; priority:1; sid:1000006; rev:1;)

# SMB Brute Force
alert tcp any any -> (your IPv4 WAN IP goes here) 445 (msg:"SMB Brute Force Attempt"; flow:to_server,established; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000001; rev:1;)

# SMB NULL Session
alert tcp any any -> (your IPv4 WAN IP goes here) 445 (msg:"SMB NULL Session Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"IPC$"; nocase; classtype:attempted-recon; sid:1000002; rev:1;)


# === WEB ATTACKS ===

# SQL Injection
alert tcp any any -> (your IPv4 WAN IP goes here) 80 (msg:"SQL Injection Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; classtype:web-application-attack; sid:1000060; rev:1;)

# Command Injection
alert tcp any any -> (your IPv4 WAN IP goes here) 80 (msg:"Command Injection Attempt"; flow:to_server,established; pcre:"/[\|\;\`\&\$\(\)]/"; classtype:web-application-attack; sid:1000061; rev:2;)

# Path Traversal
alert tcp any any -> (your IPv4 WAN IP goes here) 80 (msg:"Path Traversal Attempt"; flow:to_server,established; content:"../"; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:web-application-attack; sid:1000062; rev:1;)

# XSS Attempt
alert tcp any any -> (your IPv4 WAN IP goes here) 80 (msg:"Cross-Site Scripting Attempt"; flow:to_server,established; content:"<script"; nocase; classtype:web-application-attack; sid:1000063; rev:1;)

# Shellshock
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Shellshock Exploit Attempt"; flow:to_server,established; content:"() {"; nocase; classtype:web-application-attack; sid:1000064; rev:1;)

# Log4Shell
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"CRITICAL: Log4Shell Exploit"; flow:to_server,established; content:"${jndi:"; nocase; classtype:web-application-attack; priority:1; sid:1000065; rev:1;)


# === OUTBOUND THREAT DETECTION ===

# Outbound IRC (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv4)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000090; rev:1;)

# Outbound IRC (IPv6 Secure LAN)
alert tcp (ipv6 address assigned to private interface facing side) any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv6 Secure LAN)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000091; rev:1;)

# Outbound IRC (IPv6 Guest)
alert tcp (Guest ipv6) any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv6 Guest)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000092; rev:1;)

# Cryptomining (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any any (msg:"Cryptomining Pool (IPv4)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000093; rev:1;)

# Cryptomining (IPv6 Secure)
alert tcp (ipv6 address assigned to private interface facing side) any -> any any (msg:"Cryptomining Pool (IPv6 Secure)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000094; rev:1;)

# Cryptomining (IPv6 Guest)
alert tcp (Guest ipv6) any -> any any (msg:"Cryptomining Pool (IPv6 Guest)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000095; rev:1;)

# Telnet (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any 23 (msg:"Outbound Telnet (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000096; rev:1;)

# Telnet (IPv6 Secure)
alert tcp (ipv6 address assigned to private interface facing side) any -> any 23 (msg:"Outbound Telnet (IPv6 Secure)"; flow:to_server,established; classtype:policy-violation; sid:1000097; rev:1;)

# FTP (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any 21 (msg:"Outbound FTP (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000098; rev:1;)

# FTP (IPv6 Secure)
alert tcp (ipv6 address assigned to private interface facing side) any -> any 21 (msg:"Outbound FTP (IPv6 Secure)"; flow:to_server,established; classtype:policy-violation; sid:1000099; rev:1;)

# TOR (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any [9001,9030,9040,9050,9051,9150] (msg:"Outbound TOR (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000100; rev:1;)

# TOR (IPv6 Secure)
alert tcp (ipv6 address assigned to private interface facing side) any -> any [9001,9030,9040,9050,9051,9150] (msg:"Outbound TOR (IPv6 Secure)"; flow:to_server,established; classtype:policy-violation; sid:1000101; rev:1;)

# Large Data Transfer (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any ![80,443,22,1192,445,3128,8080] (msg:"Large Outbound Data Transfer (IPv4)"; flow:to_server,established; dsize:>10000; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:suspicious-filename-detect; sid:1000102; rev:1;)

# Large Data Transfer (IPv6 Secure)
alert tcp (ipv6 address assigned to private interface facing side) any -> any ![80,443,22,1192,445,3128,8080] (msg:"Large Outbound Data Transfer (IPv6 Secure)"; flow:to_server,established; dsize:>10000; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:suspicious-filename-detect; sid:1000103; rev:1;)


# === DNS SECURITY ===

# DNS Tunneling (IPv4)
alert udp (your IPv4 WAN IP goes here) any -> any 53 (msg:"DNS Tunneling (IPv4)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000110; rev:1;)

# DNS Tunneling (IPv6 Secure)
alert udp (ipv6 address assigned to private interface facing side) any -> any 53 (msg:"DNS Tunneling (IPv6 Secure)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000111; rev:1;)

# DNS Tunneling (IPv6 Guest)
alert udp (Guest ipv6) any -> any 53 (msg:"DNS Tunneling (IPv6 Guest)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000112; rev:1;)

# DNS Query to Malicious TLD
alert udp any any -> any 53 (msg:"DNS Query to Suspicious TLD"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; pcre:"/\.(tk|ml|ga|cf|gq)\x00/i"; classtype:trojan-activity; sid:1000113; rev:1;)

# Fast Flux (IPv4)
alert udp (your IPv4 WAN IP goes here) any -> any 53 (msg:"Fast Flux Network Query (IPv4)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; pcre:"/[a-z0-9]{20,}\./i"; classtype:trojan-activity; sid:1000114; rev:1;)

# Fast Flux (IPv6 Secure)
alert udp (ipv6 address assigned to private interface facing side) any -> any 53 (msg:"Fast Flux Network Query (IPv6 Secure)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; pcre:"/[a-z0-9]{20,}\./i"; classtype:trojan-activity; sid:1000115; rev:1;)

# DNS Amplification Response
alert udp (your IPv4 WAN IP goes here) 53 -> any any (msg:"DNS Amplification Response"; flow:from_server; dsize:>512; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000116; rev:1;)


# === SQUID PROXY ABUSE ===

# Squid Header Injection
alert tcp any any -> (your IPv4 WAN IP goes here) 3128 (msg:"HTTP Header Injection via Squid"; flow:to_server,established; content:"X-Forwarded-For"; nocase; pcre:"/\r\n\r\n/"; classtype:web-application-attack; sid:1000120; rev:1;)

# Squid CONNECT Abuse
alert tcp any any -> (your IPv4 WAN IP goes here) 3128 (msg:"Suspicious CONNECT Method via Squid"; flow:to_server,established; content:"CONNECT"; http_method; content:"443"; http_uri; classtype:policy-violation; sid:1000121; rev:1;)


# === RECONNAISSANCE ===

# Multiple Failed Connections
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Multiple Failed Connection Attempts"; flags:R; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000130; rev:1;)

# Banner Grabbing
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Banner Grabbing Detected"; flow:to_server,established; dsize:<10; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000131; rev:1;)

# SNMP Brute Force
alert udp any any -> (your IPv4 WAN IP goes here) 161 (msg:"SNMP Brute Force"; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-recon; sid:1000132; rev:1;)

# Traceroute Detection
alert ip any any -> (your IPv4 WAN IP goes here) any (msg:"Traceroute Scan Detected"; ttl:1; classtype:attempted-recon; sid:1000133; rev:1;)


# === BOTNET / MALWARE ===

# Mirai Botnet
alert tcp any any -> (your IPv4 WAN IP goes here) 23 (msg:"Mirai Botnet Scan"; flow:to_server,established; content:"/bin/busybox"; nocase; classtype:trojan-activity; sid:1000140; rev:1;)

# Zeus C2 (IPv4)
alert tcp (your IPv4 WAN IP goes here) any -> any any (msg:"Zeus Botnet C2 (IPv4)"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; classtype:trojan-activity; sid:1000141; rev:1;)

# Zeus C2 (IPv6 Secure)
alert tcp (ipv6 address assigned to private interface facing side) any -> any any (msg:"Zeus Botnet C2 (IPv6 Secure)"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; classtype:trojan-activity; sid:1000142; rev:1;)

# Emotet C2
alert tcp any any -> any any (msg:"Emotet Malware C2 Beacon"; flow:to_server,established; content:"Cookie|3a|"; http_header; pcre:"/[A-F0-9]{32}/"; classtype:trojan-activity; sid:1000143; rev:1;)


# === KNOWN CVE EXPLOITS ===

# Heartbleed
alert tcp any any -> (your IPv4 WAN IP goes here) 443 (msg:"Heartbleed Exploit Attempt"; flow:to_server,established; content:"|18 03|"; depth:2; content:"|01|"; distance:3; within:1; classtype:attempted-admin; sid:1000150; rev:1;)

# POODLE
alert tcp any any -> (your IPv4 WAN IP goes here) 443 (msg:"SSLv3 POODLE Vulnerability Exploit"; flow:to_server,established; content:"|16 03 00|"; depth:3; classtype:attempted-admin; sid:1000151; rev:1;)

# Ghost (glibc)
alert tcp any any -> (your IPv4 WAN IP goes here) any (msg:"Ghost glibc Exploit Attempt"; flow:to_server,established; content:"gethostbyname"; nocase; classtype:attempted-admin; sid:1000152; rev:1;)

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ Offline
        JonathanLee
        last edited by 

        # ============================================
# WAN INTERFACE SECURITY RULES - PRODUCTION
# ============================================
# Network Configuration:
# - IPv4 WAN: <WAN_IPV4>/32 (static)
# - IPv4 Gateway: <WAN_IPV4_GW>
# - IPv6 Tunnel Link: <TUNNEL_LINK_v6>/64
#   ├─ HE Gateway: <HE_TUNNEL_GW_v6>
#   └─ pfSense: <FW_TUNNEL_v6>
# - IPv6 Routed Prefix: <ROUTED_PREFIX_v6>/48
#   ├─ Secure LAN: <LAN_SECURE_v6>/64 (Gateway: ::a::1)
#   └─ Guest WiFi: <LAN_GUEST_v6>/64 (Gateway: ::b::1)
# - VPN Access: 172.32.0.0/11 only (MetroPCS)
# - Squid Proxy: 192.168.1.1 (IPv4), <LAN_SECURE_GW_v6> (IPv6)
# ============================================

# === HURRICANE ELECTRIC IPv6 TUNNEL PROTECTION ===

# HE Tunnel Protocol (IP protocol 41 - 6in4)
# Alert on spoofed tunnel packets not from HE
alert ip !72.52.104.74 any -> <WAN_IPV4> any (msg:"CRITICAL: Spoofed IPv6 Tunnel Packet (Not from HE)"; ip_proto:41; classtype:protocol-command-decode; priority:1; sid:1000300; rev:1;)

# IPv6 Tunnel Disruption Attempt (suspicious ICMP patterns)
alert icmp any any -> 72.52.104.74 any (msg:"Suspicious ICMP to HE Tunnel Endpoint"; itype:3; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000301; rev:1;)

alert icmp any any -> 72.52.104.74 any (msg:"ICMP Redirect to HE Tunnel Endpoint"; itype:5; classtype:attempted-dos; sid:1000302; rev:1;)

# Tunnel Fragmentation Attack
alert ip any any -> <WAN_IPV4> any (msg:"IPv6 Tunnel Fragmentation Attack"; ip_proto:41; fragbits:M; threshold:type threshold, track by_src, count 20, seconds 10; classtype:attempted-dos; sid:1000303; rev:1;)


# === IPv6 SPECIFIC THREATS ===

# ICMPv6 Router Advertisement Spoofing (MITM attack) - Secure LAN
alert icmp any any -> <LAN_SECURE_v6>/64 any (msg:"CRITICAL: Rogue IPv6 Router Advertisement (Secure LAN)"; itype:134; classtype:attempted-recon; priority:1; sid:1000310; rev:1;)

# ICMPv6 Router Advertisement Spoofing - Guest WiFi
alert icmp any any -> <LAN_GUEST_v6>/64 any (msg:"Rogue IPv6 Router Advertisement (Guest WiFi)"; itype:134; classtype:attempted-recon; priority:1; sid:1000311; rev:1;)

# ICMPv6 Neighbor Advertisement Spoofing (IPv6 ARP poisoning) - Secure LAN
alert icmp any any -> <LAN_SECURE_v6>/64 any (msg:"IPv6 Neighbor Advertisement Spoofing (Secure LAN)"; itype:136; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000312; rev:1;)

# ICMPv6 Neighbor Advertisement Spoofing - Guest WiFi
alert icmp any any -> <LAN_GUEST_v6>/64 any (msg:"IPv6 Neighbor Advertisement Spoofing (Guest WiFi)"; itype:136; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000313; rev:1;)

# DHCPv6 Spoofing (rogue DHCPv6 server)
alert udp any 547 -> any 546 (msg:"Rogue DHCPv6 Server Detected"; classtype:attempted-recon; sid:1000314; rev:1;)

# IPv6 Router Alert Option Attack (malicious pattern) - Secure LAN
alert ip any any -> <LAN_SECURE_v6>/64 any (msg:"IPv6 Router Alert Option Attack (Secure LAN)"; ip_proto:0; content:"|05 02|"; depth:10; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000315; rev:2;)

# IPv6 Router Alert Option Attack - Guest WiFi
alert ip any any -> <LAN_GUEST_v6>/64 any (msg:"IPv6 Router Alert Option Attack (Guest WiFi)"; ip_proto:0; content:"|05 02|"; depth:10; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000316; rev:2;)

# IPv6 Fragment Reassembly DoS - Secure LAN
alert ip any any -> <LAN_SECURE_v6>/64 any (msg:"IPv6 Fragment Flood (Secure LAN)"; fragbits:M; threshold:type threshold, track by_src, count 100, seconds 30; classtype:attempted-dos; sid:1000317; rev:2;)

# IPv6 Fragment Reassembly DoS - Guest WiFi
alert ip any any -> <LAN_GUEST_v6>/64 any (msg:"IPv6 Fragment Flood (Guest WiFi)"; fragbits:M; threshold:type threshold, track by_src, count 100, seconds 30; classtype:attempted-dos; sid:1000318; rev:2;)

# Teredo Tunneling (IPv6 over IPv4 UDP - potential firewall bypass)
alert udp $EXTERNAL_NET any -> $HOME_NET 3544 (msg:"Teredo IPv6 Tunnel Detected - Possible Bypass (External Only)"; classtype:policy-violation; sid:1000319; rev:2;)

# 6to4 Tunneling Detection
alert ip any any -> any any (msg:"6to4 IPv6 Tunnel Detected"; ip_proto:41; content:"|20 02|"; depth:2; classtype:policy-violation; sid:1000320; rev:1;)


# === GUEST WiFi IPv6 ISOLATION ENFORCEMENT ===

# Guest trying to access Secure LAN via IPv6 (CRITICAL - firewall breach)
alert ip <LAN_GUEST_v6>/64 any -> <LAN_SECURE_v6>/64 any (msg:"CRITICAL: Guest WiFi Accessing Secure LAN via IPv6"; classtype:policy-violation; priority:1; sid:1000330; rev:1;)

# Guest trying to access tunnel link subnet
alert ip <LAN_GUEST_v6>/64 any -> <TUNNEL_LINK_v6>/64 any (msg:"CRITICAL: Guest Accessing Tunnel Subnet"; classtype:policy-violation; priority:1; sid:1000331; rev:1;)


# === VPN SECURITY (OpenVPN UDP 1192) ===

# VPN Connection from NON-MetroPCS Source
alert udp !172.32.0.0/11 any -> <WAN_IPV4> 1192 (msg:"CRITICAL: VPN Connection from Non-MetroPCS Source"; classtype:policy-violation; priority:1; sid:1000010; rev:1;)

# VPN Brute Force from MetroPCS
alert udp 172.32.0.0/11 any -> <WAN_IPV4> 1192 (msg:"OpenVPN Brute Force from MetroPCS"; threshold:type both, track by_src, count 10, seconds 60; classtype:attempted-admin; sid:1000011; rev:1;)

# VPN Connection Flood (DoS)
alert udp any any -> <WAN_IPV4> 1192 (msg:"OpenVPN Connection Flood"; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000012; rev:1;)

# OpenVPN Malformed Packet
alert udp any any -> <WAN_IPV4> 1192 (msg:"Malformed OpenVPN Packet"; dsize:<14; classtype:protocol-command-decode; sid:1000013; rev:1;)


# === INBOUND PORT SCAN DETECTION (IPv4) ===

# Standard Port Scan
alert tcp any any -> <WAN_IPV4> any (msg:"Port Scan Against WAN IPv4"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000050; rev:1;)

# Aggressive Scan
alert tcp any any -> <WAN_IPV4> any (msg:"Aggressive Port Scan Detected"; flags:S; threshold:type threshold, track by_src, count 50, seconds 30; classtype:attempted-recon; sid:1000051; rev:1;)

# Nmap OS Detection
alert tcp any any -> <WAN_IPV4> any (msg:"Nmap OS Detection Scan"; flags:S; window:1024; threshold:type limit, track by_src, count 1, seconds 60; classtype:attempted-recon; sid:1000052; rev:1;)

# Christmas Tree Scan
alert tcp any any -> <WAN_IPV4> any (msg:"TCP Christmas Tree Scan"; flags:FPU; classtype:attempted-recon; sid:1000053; rev:1;)

# NULL Scan
alert tcp any any -> <WAN_IPV4> any (msg:"TCP NULL Scan"; flags:0; classtype:attempted-recon; sid:1000054; rev:1;)

# XMAS Scan (duplicate of Christmas Tree, but kept for clarity)
alert tcp any any -> <WAN_IPV4> any (msg:"TCP XMAS Scan"; flags:FPU; classtype:attempted-recon; sid:1000055; rev:1;)


# === INBOUND PORT SCAN DETECTION (IPv6) ===

# IPv6 Port Scan - Secure LAN Gateway
alert tcp any any -> <LAN_SECURE_GW_v6> any (msg:"IPv6 Port Scan Against Secure LAN Gateway"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000056; rev:1;)

# IPv6 Port Scan - Guest Gateway
alert tcp any any -> <LAN_GUEST_GW_v6> any (msg:"IPv6 Port Scan Against Guest Gateway"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000057; rev:1;)

# IPv6 Subnet Scan - Secure LAN
alert tcp any any -> <LAN_SECURE_v6>/64 any (msg:"IPv6 Subnet Scan (Secure LAN)"; flags:S; threshold:type threshold, track by_src, count 50, seconds 60; classtype:attempted-recon; sid:1000058; rev:1;)

# IPv6 Subnet Scan - Guest WiFi
alert tcp any any -> <LAN_GUEST_v6>/64 any (msg:"IPv6 Subnet Scan (Guest WiFi)"; flags:S; threshold:type threshold, track by_src, count 50, seconds 60; classtype:attempted-recon; sid:1000059; rev:1;)


# === DENIAL OF SERVICE ATTACKS ===

# SYN Flood (IPv4)
alert tcp any any -> <WAN_IPV4> any (msg:"SYN Flood Attack (IPv4)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000070; rev:1;)

# SYN Flood (IPv6 Secure LAN)
alert tcp any any -> <LAN_SECURE_v6>/64 any (msg:"SYN Flood Attack (IPv6 Secure LAN)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000071; rev:1;)

# SYN Flood (IPv6 Guest)
alert tcp any any -> <LAN_GUEST_v6>/64 any (msg:"SYN Flood Attack (IPv6 Guest)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000072; rev:1;)

# ICMP Flood (IPv4)
alert icmp any any -> <WAN_IPV4> any (msg:"ICMP Flood Attack"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000073; rev:1;)

# ICMPv6 Flood (Secure LAN)
alert icmp any any -> <LAN_SECURE_v6>/64 any (msg:"ICMPv6 Flood (Secure LAN)"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000074; rev:1;)

# ICMPv6 Flood (Guest)
alert icmp any any -> <LAN_GUEST_v6>/64 any (msg:"ICMPv6 Flood (Guest)"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000075; rev:1;)

# === WHITELIST LEGITIMATE QUIC SERVICES ===
# IMPORTANT: These MUST come BEFORE UDP flood detection rules

# Facebook/Instagram QUIC - IPv4
pass udp 157.240.0.0/16 443 -> any any (msg:"Allow Facebook QUIC (IPv4)"; sid:1000500; rev:1;)

# Facebook/Instagram QUIC - IPv6  
pass udp 2a03:2880::/32 443 -> any any (msg:"Allow Facebook QUIC (IPv6)"; sid:1000501; rev:1;)

# Google/YouTube QUIC - IPv4
pass udp [74.125.0.0/16,172.217.0.0/16,173.194.0.0/16,142.251.0.0/16] 443 -> any any (msg:"Allow Google QUIC (IPv4)"; sid:1000502; rev:1;)

# Google/YouTube QUIC - IPv6
pass udp 2607:f8b0::/32 443 -> any any (msg:"Allow Google QUIC (IPv6)"; sid:1000503; rev:1;)

# Apple iCloud QUIC
pass udp [17.0.0.0/8,57.144.0.0/16] 443 -> any any (msg:"Allow Apple QUIC (IPv4)"; sid:1000504; rev:1;)

# Microsoft/Teams QUIC
pass udp [13.107.0.0/16,52.96.0.0/14] 443 -> any any (msg:"Allow Microsoft QUIC (IPv4)"; sid:1000505; rev:1;)

# UDP Flood (IPv4)
alert udp !172.32.0.0/11 any -> <WAN_IPV4> any (msg:"UDP Flood Attack (IPv4) - External Only"; threshold:type threshold, track by_dst, count 10000, seconds 60; classtype:attempted-dos; priority:2; sid:1000076; rev:2;)

# UDP Flood (IPv6 Secure)
alert udp any any -> <LAN_SECURE_v6>/64 any (msg:"UDP Flood (IPv6 Secure LAN)"; threshold:type threshold, track by_dst, count 10000, seconds 60; classtype:attempted-dos; sid:1000077; rev:1;)

# UDP Flood (IPv6 Guest)
alert udp any any -> <LAN_GUEST_v6>/64 any (msg:"UDP Flood (IPv6 Guest)"; threshold:type threshold, track by_dst, count 10000, seconds 60; classtype:attempted-dos; sid:1000078; rev:1;)

# IP Fragment Flood
alert ip any any -> <WAN_IPV4> any (msg:"IP Fragment Flood"; fragbits:M; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000079; rev:1;)

# Slowloris Attack
alert tcp any any -> <WAN_IPV4> 80 (msg:"Slowloris Attack Detected"; flow:to_server,established; threshold:type threshold, track by_src, count 50, seconds 300; classtype:attempted-dos; sid:1000080; rev:1;)

# === SSH PROTECTION ===

# SSH Brute Force (IPv4)
alert tcp any any -> <WAN_IPV4> 22 (msg:"SSH Brute Force (IPv4)"; flow:to_server,established; content:"SSH"; depth:4; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000020; rev:1;)

# SSH Brute Force (IPv6 Secure LAN)
alert tcp any any -> <LAN_SECURE_GW_v6> 22 (msg:"SSH Brute Force (IPv6 Secure LAN)"; flow:to_server,established; content:"SSH"; depth:4; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000021; rev:1;)

# SSH Version Scan
alert tcp any any -> <WAN_IPV4> 22 (msg:"SSH Version Scan"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 10, seconds 30; classtype:attempted-recon; sid:1000022; rev:1;)


# === SMB/NAS ATTACKS ===

# EternalBlue (IPv4)
alert tcp any any -> <WAN_IPV4> 445 (msg:"CRITICAL: EternalBlue SMB Exploit (IPv4)"; flow:to_server,established; content:"|ff|SMB"; depth:5; content:"|00 00 00|"; distance:9; within:3; classtype:attempted-admin; priority:1; sid:1000003; rev:1;)

# EternalBlue (IPv6 Secure LAN)
alert tcp any any -> <LAN_SECURE_GW_v6> 445 (msg:"CRITICAL: EternalBlue SMB Exploit (IPv6 Secure LAN)"; flow:to_server,established; content:"|ff|SMB"; depth:5; content:"|00 00 00|"; distance:9; within:3; classtype:attempted-admin; priority:1; sid:1000004; rev:1;)

# SMBGhost (IPv4)
alert tcp any any -> <WAN_IPV4> 445 (msg:"CRITICAL: SMBGhost Exploit (IPv4)"; flow:to_server,established; content:"|fe|SMB"; depth:5; content:"|11 03 02|"; distance:0; classtype:attempted-admin; priority:1; sid:1000005; rev:1;)

# SMBGhost (IPv6 Secure LAN)
alert tcp any any -> <LAN_SECURE_GW_v6> 445 (msg:"CRITICAL: SMBGhost Exploit (IPv6 Secure LAN)"; flow:to_server,established; content:"|fe|SMB"; depth:5; content:"|11 03 02|"; distance:0; classtype:attempted-admin; priority:1; sid:1000006; rev:1;)

# SMB Brute Force
alert tcp any any -> <WAN_IPV4> 445 (msg:"SMB Brute Force Attempt"; flow:to_server,established; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000001; rev:1;)

# SMB NULL Session
alert tcp any any -> <WAN_IPV4> 445 (msg:"SMB NULL Session Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"IPC$"; nocase; classtype:attempted-recon; sid:1000002; rev:1;)

# === WEB ATTACKS ===

# SQL Injection
alert tcp any any -> <WAN_IPV4> 80 (msg:"SQL Injection Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; classtype:web-application-attack; sid:1000060; rev:1;)

# Command Injection
alert tcp any any -> <WAN_IPV4> 80 (msg:"Command Injection Attempt"; flow:to_server,established; pcre:"/[\|\;\`\&\$\(\)]/"; classtype:web-application-attack; sid:1000061; rev:2;)

# Path Traversal
alert tcp any any -> <WAN_IPV4> 80 (msg:"Path Traversal Attempt"; flow:to_server,established; content:"../"; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:web-application-attack; sid:1000062; rev:1;)

# XSS Attempt
alert tcp any any -> <WAN_IPV4> 80 (msg:"Cross-Site Scripting Attempt"; flow:to_server,established; content:"<script"; nocase; classtype:web-application-attack; sid:1000063; rev:1;)

# Shellshock
alert tcp any any -> <WAN_IPV4> any (msg:"Shellshock Exploit Attempt"; flow:to_server,established; content:"() {"; nocase; classtype:web-application-attack; sid:1000064; rev:1;)

# Log4Shell
alert tcp any any -> <WAN_IPV4> any (msg:"CRITICAL: Log4Shell Exploit"; flow:to_server,established; content:"${jndi:"; nocase; classtype:web-application-attack; priority:1; sid:1000065; rev:1;)

# === OUTBOUND THREAT DETECTION ===

# Outbound IRC (IPv4)
alert tcp <WAN_IPV4> any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv4)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000090; rev:1;)

# Outbound IRC (IPv6 Secure LAN)
alert tcp <LAN_SECURE_GW_v6> any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv6 Secure LAN)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000091; rev:1;)

# Outbound IRC (IPv6 Guest)
alert tcp <LAN_GUEST_GW_v6> any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv6 Guest)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000092; rev:1;)

# Cryptomining (IPv4)
alert tcp <WAN_IPV4> any -> any any (msg:"Cryptomining Pool (IPv4)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000093; rev:1;)

# Cryptomining (IPv6 Secure)
alert tcp <LAN_SECURE_GW_v6> any -> any any (msg:"Cryptomining Pool (IPv6 Secure)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000094; rev:1;)

# Cryptomining (IPv6 Guest)
alert tcp <LAN_GUEST_GW_v6> any -> any any (msg:"Cryptomining Pool (IPv6 Guest)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000095; rev:1;)

# Telnet (IPv4)
alert tcp <WAN_IPV4> any -> any 23 (msg:"Outbound Telnet (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000096; rev:1;)

# Telnet (IPv6 Secure)
alert tcp <LAN_SECURE_GW_v6> any -> any 23 (msg:"Outbound Telnet (IPv6 Secure)"; flow:to_server,established; classtype:policy-violation; sid:1000097; rev:1;)

# FTP (IPv4)
alert tcp <WAN_IPV4> any -> any 21 (msg:"Outbound FTP (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000098; rev:1;)

# FTP (IPv6 Secure)
alert tcp <LAN_SECURE_GW_v6> any -> any 21 (msg:"Outbound FTP (IPv6 Secure)"; flow:to_server,established; classtype:policy-violation; sid:1000099; rev:1;)

# TOR (IPv4)
alert tcp <WAN_IPV4> any -> any [9001,9030,9040,9050,9051,9150] (msg:"Outbound TOR (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000100; rev:1;)

# TOR (IPv6 Secure)
alert tcp <LAN_SECURE_GW_v6> any -> any [9001,9030,9040,9050,9051,9150] (msg:"Outbound TOR (IPv6 Secure)"; flow:to_server,established; classtype:policy-violation; sid:1000101; rev:1;)

# Large Data Transfer (IPv4)
alert tcp <WAN_IPV4> any -> any ![80,443,22,1192,445,3128,8080] (msg:"Large Outbound Data Transfer (IPv4)"; flow:to_server,established; dsize:>10000; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:suspicious-filename-detect; sid:1000102; rev:1;)

# Large Data Transfer (IPv6 Secure)
alert tcp <LAN_SECURE_GW_v6> any -> any ![80,443,22,1192,445,3128,8080] (msg:"Large Outbound Data Transfer (IPv6 Secure)"; flow:to_server,established; dsize:>10000; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:suspicious-filename-detect; sid:1000103; rev:1;)


# === DNS SECURITY ===

# DNS Tunneling (IPv4)
alert udp <WAN_IPV4> any -> any 53 (msg:"DNS Tunneling (IPv4)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000110; rev:1;)

# DNS Tunneling (IPv6 Secure)
alert udp <LAN_SECURE_GW_v6> any -> any 53 (msg:"DNS Tunneling (IPv6 Secure)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000111; rev:1;)

# DNS Tunneling (IPv6 Guest)
alert udp <LAN_GUEST_GW_v6> any -> any 53 (msg:"DNS Tunneling (IPv6 Guest)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000112; rev:1;)

# DNS Query to Malicious TLD
alert udp any any -> any 53 (msg:"DNS Query to Suspicious TLD"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; pcre:"/\.(tk|ml|ga|cf|gq)\x00/i"; classtype:trojan-activity; sid:1000113; rev:1;)

# Fast Flux (IPv4)
alert udp <WAN_IPV4> any -> any 53 (msg:"Fast Flux Network Query (IPv4)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; pcre:"/[a-z0-9]{20,}\./i"; classtype:trojan-activity; sid:1000114; rev:1;)

# Fast Flux (IPv6 Secure)
alert udp <LAN_SECURE_GW_v6> any -> any 53 (msg:"Fast Flux Network Query (IPv6 Secure)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; pcre:"/[a-z0-9]{20,}\./i"; classtype:trojan-activity; sid:1000115; rev:1;)

# DNS Amplification Response
alert udp <WAN_IPV4> 53 -> any any (msg:"DNS Amplification Response"; flow:from_server; dsize:>512; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000116; rev:1;)

# === SQUID PROXY ABUSE ===

# Squid Header Injection
alert tcp any any -> <WAN_IPV4> 3128 (msg:"HTTP Header Injection via Squid"; flow:to_server,established; content:"X-Forwarded-For"; nocase; pcre:"/\r\n\r\n/"; classtype:web-application-attack; sid:1000120; rev:1;)

# Squid CONNECT Abuse
alert tcp any any -> <WAN_IPV4> 3128 (msg:"Suspicious CONNECT Method via Squid"; flow:to_server,established; content:"CONNECT"; http_method; content:"443"; http_uri; classtype:policy-violation; sid:1000121; rev:1;)


# === RECONNAISSANCE ===

# Multiple Failed Connections
alert tcp any any -> <WAN_IPV4> any (msg:"Multiple Failed Connection Attempts"; flags:R; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000130; rev:1;)

# Banner Grabbing
alert tcp any any -> <WAN_IPV4> any (msg:"Banner Grabbing Detected"; flow:to_server,established; dsize:<10; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000131; rev:1;)

# SNMP Brute Force
alert udp any any -> <WAN_IPV4> 161 (msg:"SNMP Brute Force"; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-recon; sid:1000132; rev:1;)

# Traceroute Detection
alert ip any any -> <WAN_IPV4> any (msg:"Traceroute Scan Detected"; ttl:1; classtype:attempted-recon; sid:1000133; rev:1;)

# === BOTNET / MALWARE ===

# Mirai Botnet
alert tcp any any -> <WAN_IPV4> 23 (msg:"Mirai Botnet Scan"; flow:to_server,established; content:"/bin/busybox"; nocase; classtype:trojan-activity; sid:1000140; rev:1;)

# Zeus C2 (IPv4)
alert tcp <WAN_IPV4> any -> any any (msg:"Zeus Botnet C2 (IPv4)"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; classtype:trojan-activity; sid:1000141; rev:1;)

# Zeus C2 (IPv6 Secure)
alert tcp <LAN_SECURE_GW_v6> any -> any any (msg:"Zeus Botnet C2 (IPv6 Secure)"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; classtype:trojan-activity; sid:1000142; rev:1;)

# Emotet C2
alert tcp any any -> any any (msg:"Emotet Malware C2 Beacon"; flow:to_server,established; content:"Cookie|3a|"; http_header; pcre:"/[A-F0-9]{32}/"; classtype:trojan-activity; sid:1000143; rev:1;)

# === KNOWN CVE EXPLOITS ===

# Heartbleed
alert tcp any any -> <WAN_IPV4> 443 (msg:"Heartbleed Exploit Attempt"; flow:to_server,established; content:"|18 03|"; depth:2; content:"|01|"; distance:3; within:1; classtype:attempted-admin; sid:1000150; rev:1;)

# POODLE
alert tcp any any -> <WAN_IPV4> 443 (msg:"SSLv3 POODLE Vulnerability Exploit"; flow:to_server,established; content:"|16 03 00|"; depth:3; classtype:attempted-admin; sid:1000151; rev:1;)

# Ghost (glibc)
alert tcp any any -> <WAN_IPV4> any (msg:"Ghost glibc Exploit Attempt"; flow:to_server,established; content:"gethostbyname"; nocase; classtype:attempted-admin; sid:1000152; rev:1;)

# === ADVANCED MALWARE SIGNATURES ===

# Cobalt Strike Beacon (common APT tool)
alert tcp any any -> any any (msg:"CRITICAL: Cobalt Strike Beacon Detected"; flow:established; content:"|00 00 be ef|"; depth:4; classtype:trojan-activity; priority:1; sid:1001010; rev:1;)

# Metasploit Reverse Shell
alert tcp [<WAN_IPV4>,<LAN_SECURE_v6>/64,<LAN_GUEST_v6>/64,<FW_TUNNEL_v6>] any -> any any (msg:"CRITICAL: Metasploit Reverse Shell"; flow:to_server,established; content:"metasploit"; nocase; classtype:trojan-activity; priority:1; sid:1001011; rev:2;)

# PowerShell Empire C2
alert tcp [<WAN_IPV4>,<LAN_SECURE_v6>/64,<LAN_GUEST_v6>/64,<FW_TUNNEL_v6>] any -> any any (msg:"PowerShell Empire C2 Traffic"; flow:to_server,established; content:"GET"; http_method; content:"/admin/get.php"; http_uri; classtype:trojan-activity; sid:1001012; rev:2;)

# Suspicious PowerShell Download Cradle (outbound)
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"Suspicious PowerShell Download Cradle"; flow:to_server,established; content:"IEX"; nocase; content:"(New-Object"; nocase; distance:0; classtype:trojan-activity; sid:1001013; rev:1;)

# Living Off The Land Binaries (LOLBins) - Certutil abuse
alert tcp [<WAN_IPV4>,<LAN_SECURE_v6>/64,<LAN_GUEST_v6>/64,<FW_TUNNEL_v6>] any -> any 80 (msg:"Certutil Download Abuse"; flow:to_server,established; content:"certutil"; nocase; content:"-urlcache"; nocase; distance:0; classtype:trojan-activity; sid:1001014; rev:2;)

# === RANSOMWARE DETECTION ===

# SMB Large File Write Burst (ransomware encryption pattern)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware SMB Write Burst"; flow:to_server,established; dsize:>50000; threshold:type threshold, track by_src, count 20, seconds 10; classtype:trojan-activity; priority:1; sid:1001020; rev:1;)

# Suspicious File Extension in SMB (common ransomware extensions)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension Detected"; flow:established; content:".locked"; nocase; classtype:trojan-activity; priority:1; sid:1001021; rev:1;)

alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension (.encrypted)"; flow:established; content:".encrypted"; nocase; classtype:trojan-activity; priority:1; sid:1001022; rev:1;)

# Ransom Note Pattern (README.txt, HOW_TO_DECRYPT, etc.)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransom Note File Detected"; flow:established; pcre:"/(README|DECRYPT|RECOVERY|RANSOM|RESTORE)[_\-]?(ME|YOUR|FILES|DATA|INSTRUCTIONS)?\.(txt|html|hta)/i"; classtype:trojan-activity; priority:1; sid:1001023; rev:1;)

# === CREDENTIAL THEFT / DATA EXFILTRATION ===

# Outbound LDAP (Active Directory credential harvesting)
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 389 (msg:"Suspicious Outbound LDAP Connection"; flow:to_server,established; classtype:policy-violation; sid:1001030; rev:1;)

# Kerberoasting Attack Pattern
alert tcp any any -> any 88 (msg:"Possible Kerberoasting Attack"; flow:to_server,established; content:"|a0 03 02 01 05|"; depth:5; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-admin; sid:1001031; rev:1;)

# Password Spray Attack (many users, same password)
alert tcp any any -> any [389,636,3268,3269] (msg:"LDAP Password Spray Attack"; flow:to_server,established; threshold:type threshold, track by_src, count 20, seconds 300; classtype:attempted-admin; sid:1001032; rev:1;)

# Suspicious Pastebin Upload (credential dump)
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"Suspicious Pastebin Upload"; flow:to_server,established; content:"pastebin.com"; http_header; content:"POST"; http_method; classtype:policy-violation; sid:1001033; rev:1;)
# === CLOUD SECURITY ===

# Tor2Web Gateway Access (anonymity service)
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"Tor2Web Gateway Access"; flow:to_server,established; content:".onion."; http_header; classtype:policy-violation; sid:1001040; rev:1;)

# Suspicious Cloud Storage API Access Pattern
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"Bulk Cloud Storage Download"; flow:to_server,established; content:"storage.googleapis.com"; http_header; threshold:type threshold, track by_dst, count 50, seconds 60; classtype:suspicious-filename-detect; sid:1001041; rev:1;)

# GitHub Raw Content Download (malware distribution)
alert tcp [<WAN_IPV4>,<LAN_SECURE_v6>/64,<LAN_GUEST_v6>/64,<FW_TUNNEL_v6>] any -> any 443 (msg:"Suspicious GitHub Raw Content Download"; flow:to_server,established; content:"raw.githubusercontent.com"; http_header; content:".exe"; http_uri; nocase; classtype:policy-violation; sid:1001042; rev:2;)

# === IOT SECURITY ===

# Mirai Variant - Telnet Scanning
alert tcp any any -> any 23 (msg:"Mirai IoT Botnet Telnet Scan"; flow:to_server,established; content:"sh"; depth:10; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; sid:1001050; rev:1;)

# UPnP SSDP Amplification (common IoT DDoS)
alert udp any 1900 -> any any (msg:"UPnP SSDP Amplification Response"; content:"HTTP/1.1 200 OK"; depth:15; dsize:>200; threshold:type threshold, track by_src, count 10, seconds 10; classtype:attempted-dos; sid:1001051; rev:1;)

# Suspicious MQTT Traffic (IoT C2)
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 1883 (msg:"Outbound MQTT Connection (IoT C2?)"; flow:to_server,established; classtype:policy-violation; sid:1001052; rev:1;)

# === COVERT CHANNELS (UPDATED) ===

# ICMP Tunneling (data exfiltration via ping)
alert icmp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any any (msg:"ICMP Tunneling Detected"; dsize:>100; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:bad-unknown; sid:1001060; rev:1;)

# DNS Over HTTPS (bypassing DNS filtering) - Google
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"DNS Over HTTPS Detected (Google)"; flow:to_server,established; content:"dns.google"; http_header; classtype:policy-violation; sid:1001061; rev:1;)

# DNS Over HTTPS (bypassing DNS filtering) - Cloudflare (if not using it)
# COMMENTED OUT - Remove # if you want to block Cloudflare DoH
# alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"DNS Over HTTPS (Cloudflare)"; flow:to_server,established; content:"cloudflare-dns.com"; http_header; classtype:policy-violation; sid:1001062; rev:1;)

# DNS Over TLS - ONLY alert on non-Cloudflare DoT
# Cloudflare IPs: 1.0.0.1, 1.0.0.2, 1.1.1.1, 1.1.1.2 (IPv4)
# Cloudflare IPs: 2606:4700:4700::1001, 2606:4700:4700::1002, 2606:4700:4700::1111, 2606:4700:4700::1112 (IPv6)
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> ![1.0.0.1,1.0.0.2,1.1.1.1,1.1.1.2,2606:4700:4700::1001,2606:4700:4700::1002,2606:4700:4700::1111,2606:4700:4700::1112] 853 (msg:"DNS Over TLS to Non-Cloudflare Server"; flow:to_server,established; classtype:policy-violation; sid:1001063; rev:2;)

# === SUPPLY CHAIN ATTACKS ===

# NPM Package Manager Suspicious Activity
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"Suspicious NPM Package Download"; flow:to_server,established; content:"registry.npmjs.org"; http_header; content:"GET"; http_method; threshold:type threshold, track by_dst, count 100, seconds 60; classtype:policy-violation; sid:1001070; rev:1;)

# PyPI Suspicious Package Download
alert tcp [<WAN_IPV4>,<LAN_SECURE_GW_v6>] any -> any 443 (msg:"Suspicious PyPI Package Download"; flow:to_server,established; content:"pypi.org"; http_header; threshold:type threshold, track by_dst, count 50, seconds 60; classtype:policy-violation; sid:1001071; rev:1;)

# === WANv6 TUNNEL ENDPOINT PROTECTION ===

# Unsolicited inbound to WANv6 tunnel endpoint
alert tcp any any -> <FW_TUNNEL_v6> any (msg:"CRITICAL: Unsolicited Inbound to WANv6 Tunnel Endpoint"; flags:S; threshold:type limit, track by_src, count 1, seconds 300; classtype:policy-violation; priority:1; sid:1000340; rev:1;)

# Excessive ICMPv6 to tunnel endpoint
alert icmp any any -> <FW_TUNNEL_v6> any (msg:"ICMPv6 Flood to WANv6 Endpoint"; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000341; rev:1;)

# Port scan against WANv6 endpoint
alert tcp any any -> <FW_TUNNEL_v6> any (msg:"Port Scan Against WANv6 Endpoint"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000342; rev:1;)

# Spoofed source claiming to be from your tunnel
# Detect packets FROM your tunnel IP coming IN on WAN (true spoofing)
# NOTE: This requires Snort to be running on WAN interface, not WANv6
#alert ip <FW_TUNNEL_v6> any -> any any (msg:"CRITICAL: Spoofed Packet Claiming to be WANv6 Tunnel (Inbound on WAN)"; classtype:bad-unknown; priority:1; sid:1000343; rev:2;)

# === ICMPv6 ABUSE DETECTION (for allowed types) ===

# Excessive Echo Requests (ping flood)
alert icmp any any -> <LAN_SECURE_v6>/64 any (msg:"ICMPv6 Echo Request Flood (Secure LAN)"; itype:128; threshold:type threshold, track by_src, count 100, seconds 10; classtype:attempted-dos; sid:1000350; rev:1;)

alert icmp any any -> <LAN_GUEST_v6>/64 any (msg:"ICMPv6 Echo Request Flood (Guest WiFi)"; itype:128; threshold:type threshold, track by_src, count 100, seconds 10; classtype:attempted-dos; sid:1000351; rev:1;)

alert icmp any any -> <FW_TUNNEL_v6> any (msg:"ICMPv6 Echo Request Flood (WANv6)"; itype:128; threshold:type threshold, track by_src, count 100, seconds 10; classtype:attempted-dos; sid:1000352; rev:1;)

# Neighbor Solicitation flood (NDP exhaustion)
alert icmp any any -> <LAN_SECURE_v6>/64 any (msg:"ICMPv6 Neighbor Solicitation Flood (Secure LAN)"; itype:135; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000353; rev:1;)

alert icmp any any -> <LAN_GUEST_v6>/64 any (msg:"ICMPv6 Neighbor Solicitation Flood (Guest WiFi)"; itype:135; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000354; rev:1;)

# Suspicious Packet Too Big messages (PMTU manipulation)
alert icmp any any -> <LAN_SECURE_v6>/64 any (msg:"Suspicious ICMPv6 Packet Too Big (Secure LAN)"; itype:2; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-dos; sid:1000355; rev:1;)

alert icmp any any -> <LAN_GUEST_v6>/64 any (msg:"Suspicious ICMPv6 Packet Too Big (Guest WiFi)"; itype:2; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-dos; sid:

        Make sure to upvote

        JonathanLeeJ 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ Offline
          JonathanLee @JonathanLee
          last edited by JonathanLee

          part 2

          1000356; rev:1;)

alert icmp any any -> <FW_TUNNEL_v6> any (msg:"Suspicious ICMPv6 Packet Too Big (WANv6)"; itype:2; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-dos; sid:1000357; rev:1;)

          if there is anything else please let me know this has some adaptations to it for udp flood issues with false positives etc
          part one and two are because of the 32762 char limit on my posts

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • tinfoilmattT Offline
            tinfoilmatt LAYER 8
            last edited by

            Nothing to add, just curious—where'd you get these rules from? Did you cannabalize from somewhere/s else?

            JonathanLeeJ 1 Reply Last reply Reply Quote 0
            • JonathanLeeJ Offline
              JonathanLee @tinfoilmatt
              last edited by JonathanLee

              @tinfoilmatt playing around with Claude I couldn't believe it... just amazing.... It customized my rule set I just asked it what to do and added my network design and it just created a huge custom rule set. It did have some adjustments I made, but not many. A Artificial intelligence based IPS/IDS rule set that is like SOC level stuff. I mean talk about security improvements right? As a university student, I keep saying embrace AI or someone that does is gonna run me right over. It is never going away just like the smartphone, it's a goldmine right now. It's like it has information from every online forum, everything on the internet, and parses that data effectively.

              Make sure to upvote

              tinfoilmattT 1 Reply Last reply Reply Quote 1
              • tinfoilmattT Offline
                tinfoilmatt LAYER 8 @JonathanLee
                last edited by

                @JonathanLee Interesting.

                What we're living through now is the partial realization of what I somewhat mistakenly believed Web 3.0's 'semantic web' concept from a quarter-century ago was all about. I.e., tell the 'search engine' what you're looking for in natural human language, and it will deliver.

                Berners-Lee originally expressed his vision of the Semantic Web in 1999 as follows:

                I have a dream for the Web [in which computers] become capable of analyzing all the data on the Web – the content, links, and transactions between people and computers. A "Semantic Web", which makes this possible, has yet to emerge, but when it does, the day-to-day mechanisms of trade, bureaucracy and our daily lives will be handled by machines talking to machines. The "intelligent agents" people have touted for ages will finally materialize.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.