Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Custom Snort IPS/IDS ruleset

    Scheduled Pinned Locked Moved IDS/IPS
    snortipsidscustomize
    1 Posts 1 Posters 144 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ Offline
      JonathanLee
      last edited by

      Hello fellow Netgate Community members, I wanted to share this and get some feedback on what you thought. This is a custom rule set works pretty well catches a lot it sits on my WAN interface but has caught some bad guys and got some good data out of it for reporting. Let me know what you think?

      # ============================================
# WAN INTERFACE SECURITY RULES - PRODUCTION
# CLEANED & OPTIMIZED FOR:
#   - Netgate 2100-MAX (ARM Cortex-A53)
#   - Snort Legacy Block Mode
#   - Default-Deny WAN Firewall
#   - No inbound web server
#   - NAS on Secure LAN (SMB via VPN terminates internally)
#   - OpenVPN on UDP 1194
# ============================================
# Network Configuration:
# - IPv4 WAN: <YOUR_WAN_IP>/32 (static)
# - IPv4 Gateway: <YOUR_WAN_GATEWAY>
# - IPv6 Tunnel Link: <YOUR_HE_TUNNEL_LINK>/64
#   ├─ HE Gateway: <YOUR_HE_TUNNEL_LINK>::1
#   └─ pfSense: <YOUR_HE_TUNNEL_LINK>::2
# - IPv6 Routed Prefix: <YOUR_HE_ROUTED_PREFIX>/48
#   ├─ Secure LAN: <YOUR_HE_ROUTED_PREFIX>:a::/64
#   └─ Guest WiFi: <YOUR_HE_ROUTED_PREFIX>:b::/64
# - VPN Access: <YOUR_CARRIER_SUBNET>/11 only
# - VPN Client Subnet: <YOUR_VPN_CLIENT_SUBNET>/24
# - Squid Proxy: <YOUR_LAN_GW_IP> (IPv4), <YOUR_LAN_GW_IPv6> (IPv6)
# ============================================
# NOTE: SID namespace uses 1000xxx/1001xxx ranges.
# Official recommended local range is 9000001-9099999.
# Renumbering deferred - verify no conflicts if ET/community
# rulesets are added in future.

# === HURRICANE ELECTRIC IPv6 TUNNEL PROTECTION ===

# Alert on spoofed tunnel packets not from HE
# Replace <HE_SERVER_IP> with your Hurricane Electric tunnel server IP
alert ip !<HE_SERVER_IP> any -> <YOUR_WAN_IP> any (msg:"CRITICAL: Spoofed IPv6 Tunnel Packet (Not from HE)"; ip_proto:41; classtype:protocol-command-decode; priority:1; sid:1000300; rev:1;)

# Suspicious ICMP unreachable toward YOUR WAN (not HE's server)
alert icmp any any -> <YOUR_WAN_IP> any (msg:"Suspicious ICMP Unreachable to WAN Tunnel Endpoint"; itype:3; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000301; rev:2;)

# ICMP redirect toward YOUR WAN (not HE's server)
alert icmp any any -> <YOUR_WAN_IP> any (msg:"ICMP Redirect to WAN Tunnel Endpoint"; itype:5; classtype:attempted-dos; sid:1000302; rev:2;)

# Tunnel fragmentation attack
alert ip any any -> <YOUR_WAN_IP> any (msg:"IPv6 Tunnel Fragmentation Attack"; ip_proto:41; fragbits:M; threshold:type threshold, track by_src, count 20, seconds 10; classtype:attempted-dos; sid:1000303; rev:1;)

# === IPv6 TUNNEL BYPASS DETECTION ===

# Teredo tunneling (IPv6 over IPv4 UDP - potential firewall bypass)
alert udp $EXTERNAL_NET any -> $HOME_NET 3544 (msg:"Teredo IPv6 Tunnel Detected - Possible Bypass (External Only)"; classtype:policy-violation; sid:1000319; rev:2;)

# 6to4 tunneling detection (IP protocol 41 with 6to4 prefix)
alert ip any any -> <YOUR_WAN_IP> any (msg:"6to4 IPv6 Tunnel Detected"; ip_proto:41; content:"|20 02|"; depth:2; classtype:policy-violation; sid:1000320; rev:2;)

# === VPN SECURITY (OpenVPN UDP 1194) ===
# NOTE: Replace <YOUR_CARRIER_SUBNET>/11 with your mobile carrier's IP range
# This restricts VPN access to your carrier network only

# VPN connection from non-carrier source
alert udp !<YOUR_CARRIER_SUBNET>/11 any -> <YOUR_WAN_IP> 1194 (msg:"CRITICAL: VPN Connection from Non-Carrier Source"; classtype:policy-violation; priority:1; sid:1000010; rev:2;)

# VPN brute force from carrier
alert udp <YOUR_CARRIER_SUBNET>/11 any -> <YOUR_WAN_IP> 1194 (msg:"OpenVPN Brute Force from Carrier"; threshold:type both, track by_src, count 10, seconds 60; classtype:attempted-admin; sid:1000011; rev:2;)

# VPN connection flood (DoS)
alert udp !<YOUR_CARRIER_SUBNET>/11 any -> <YOUR_WAN_IP> 1194 (msg:"OpenVPN Connection Flood from Non-Carrier (High Rate)"; threshold:type threshold, track by_src, count 200, seconds 10; classtype:attempted-dos; sid:1000012; rev:3;)

# OpenVPN malformed packet
alert udp any any -> <YOUR_WAN_IP> 1194 (msg:"Malformed OpenVPN Packet"; dsize:<14; classtype:protocol-command-decode; sid:1000013; rev:2;)

# === DENIAL OF SERVICE ATTACKS ===

# SYN flood
alert tcp any any -> <YOUR_WAN_IP> any (msg:"SYN Flood Attack (IPv4)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000070; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"SYN Flood Attack (IPv6)"; flags:S; threshold:type threshold, track by_dst, count 100, seconds 10; classtype:attempted-dos; sid:1000133; rev:1;)

# RST flood (connection teardown DoS)
alert tcp any any -> <YOUR_WAN_IP> any (msg:"RST Flood Attack (IPv4)"; flags:R; threshold:type threshold, track by_src, count 200, seconds 10; classtype:attempted-dos; sid:1000071; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"RST Flood Attack (IPv6)"; flags:R; threshold:type threshold, track by_src, count 200, seconds 10; classtype:attempted-dos; sid:1000132; rev:1;)

# ICMP flood (IPv4)
alert icmp any any -> <YOUR_WAN_IP> any (msg:"ICMP Flood Attack"; threshold:type threshold, track by_dst, count 50, seconds 10; classtype:attempted-dos; sid:1000073; rev:1;)

# ICMP address mask request (recon probe, IPv4 only - no ICMPv6 equivalent)
alert icmp any any -> <YOUR_WAN_IP> any (msg:"ICMP Address Mask Request to WAN"; itype:17; classtype:attempted-recon; sid:1000074; rev:1;)

# === WHITELIST LEGITIMATE QUIC SERVICES ===

# Facebook/Instagram QUIC - IPv4
pass udp 157.240.0.0/16 443 -> any any (msg:"Allow Facebook QUIC (IPv4)"; sid:1000500; rev:1;)

# Facebook/Instagram QUIC - IPv6
pass udp 2a03:2880::/32 443 -> any any (msg:"Allow Facebook QUIC (IPv6)"; sid:1000501; rev:1;)

# Google/YouTube QUIC - IPv4
pass udp [74.125.0.0/16,172.217.0.0/16,173.194.0.0/16,142.251.0.0/16] 443 -> any any (msg:"Allow Google QUIC (IPv4)"; sid:1000502; rev:1;)

# Google/YouTube QUIC - IPv6
pass udp 2607:f8b0::/32 443 -> any any (msg:"Allow Google QUIC (IPv6)"; sid:1000503; rev:1;)

# Apple iCloud QUIC
pass udp [17.0.0.0/8,57.144.0.0/16] 443 -> any any (msg:"Allow Apple QUIC (IPv4)"; sid:1000504; rev:1;)

# Microsoft/Teams QUIC
pass udp [13.107.0.0/16,52.96.0.0/12,20.190.0.0/16] 443 -> any any (msg:"Allow Microsoft QUIC (IPv4)"; sid:1000505; rev:2;)

# UDP flood (IPv4) - excludes carrier VPN range to avoid false positives
alert udp !<YOUR_CARRIER_SUBNET>/11 any -> <YOUR_WAN_IP> any (msg:"UDP Flood Attack (IPv4) - External Only"; threshold:type threshold, track by_dst, count 250000, seconds 60; classtype:attempted-dos; priority:2; sid:1000076; rev:2;)

# IP fragment flood
alert ip any any -> <YOUR_WAN_IP> any (msg:"IP Fragment Flood"; fragbits:M; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000079; rev:1;)

# === WANv6 TUNNEL ENDPOINT PROTECTION ===

# Unsolicited inbound to WANv6 tunnel endpoint
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"CRITICAL: Unsolicited Inbound to WANv6 Tunnel Endpoint"; flags:S; threshold:type limit, track by_src, count 1, seconds 300; classtype:policy-violation; priority:1; sid:1000340; rev:1;)

# Excessive ICMPv6 to tunnel endpoint
alert ip any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"ICMPv6 Flood to WANv6 Endpoint"; ip_proto:58; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000341; rev:2;)

# Port scan against WANv6 endpoint
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"Port Scan Against WANv6 Endpoint"; flags:S; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-recon; sid:1000342; rev:1;)

# === ICMPv6 ABUSE DETECTION ===

# Excessive echo requests to WANv6 (ping flood)
# ICMPv6 flood also covered by sid:1000341 above
alert ip any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"ICMPv6 Echo Request Flood (WANv6)"; ip_proto:58; threshold:type threshold, track by_src, count 100, seconds 10; classtype:attempted-dos; sid:1000352; rev:3;)

# Suspicious Packet Too Big to WANv6 (PMTU manipulation attack)
alert ip any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"Suspicious ICMPv6 Packet Too Big (WANv6)"; ip_proto:58; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-dos; sid:1000357; rev:2;)

# === OUTBOUND THREAT DETECTION (POST-NAT IPv4 + IPv6) ===
# Outbound IRC - possible botnet C2
alert tcp <YOUR_WAN_IP> any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv4)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000090; rev:1;)
alert tcp <YOUR_WAN_IP> any -> any 6697 (msg:"Outbound IRC over TLS - Possible Botnet (IPv4)"; flow:to_server,established; classtype:trojan-activity; sid:1000128; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 6667 (msg:"Outbound IRC - Possible Botnet (IPv6)"; flow:to_server,established; content:"NICK"; nocase; depth:10; classtype:trojan-activity; sid:1000121; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 6697 (msg:"Outbound IRC over TLS - Possible Botnet (IPv6)"; flow:to_server,established; classtype:trojan-activity; sid:1000129; rev:1;)

# Cryptomining pool connection
alert tcp <YOUR_WAN_IP> any -> any any (msg:"Cryptomining Pool (IPv4)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000093; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any any (msg:"Cryptomining Pool (IPv6)"; flow:to_server,established; content:"stratum+tcp"; nocase; classtype:trojan-activity; sid:1000122; rev:1;)

# Outbound Telnet (cleartext protocol, should never be used)
alert tcp <YOUR_WAN_IP> any -> any 23 (msg:"Outbound Telnet (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000096; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 23 (msg:"Outbound Telnet (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000123; rev:1;)

# Outbound FTP (cleartext protocol, policy violation)
alert tcp <YOUR_WAN_IP> any -> any 21 (msg:"Outbound FTP (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000098; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 21 (msg:"Outbound FTP (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000124; rev:1;)

# Outbound TOR
alert tcp <YOUR_WAN_IP> any -> any [9001,9030,9040,9050,9051,9150] (msg:"Outbound TOR (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1000100; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any [9001,9030,9040,9050,9051,9150] (msg:"Outbound TOR (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000125; rev:1;)

# Large outbound data transfer on non-standard ports (possible exfil)
# Excludes web, VPN, SMB, proxy ports to reduce false positives
alert tcp <YOUR_WAN_IP> any -> any ![80,443,1194,445] (msg:"Large Outbound Data Transfer (IPv4)"; flow:to_server,established; dsize:>10000; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:suspicious-filename-detect; sid:1000102; rev:2;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any ![80,443,1194,445] (msg:"Large Outbound Data Transfer (IPv6)"; flow:to_server,established; dsize:>10000; threshold:type threshold, track by_dst, count 10, seconds 60; classtype:suspicious-filename-detect; sid:1000126; rev:1;)

# Outbound SMTP - compromised host indicator (no mail server exists)
alert tcp <YOUR_WAN_IP> any -> any 25 (msg:"Outbound SMTP - Possible Spam Bot (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1001070; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 25 (msg:"Outbound SMTP - Possible Spam Bot (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000127; rev:1;)

# === DNS SECURITY ===
# DNS tunneling - oversized query payload (data exfiltration via DNS)
# NOTE: Unbound uses DoT on port 853 exclusively - port 53 outbound from WAN is client tunneling
alert udp <YOUR_WAN_IP> any -> any 53 (msg:"DNS Tunneling (IPv4)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000110; rev:1;)
alert udp <YOUR_SECURE_LAN_v6>/64 any -> any 53 (msg:"DNS Tunneling (IPv6)"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>100; classtype:bad-unknown; sid:1000118; rev:1;)

# DNS query to known malicious free TLDs commonly used for malware C2
alert udp any any -> any 53 (msg:"DNS Query to Suspicious TLD"; flow:to_server; content:"|01 00 00 01|"; offset:2; depth:4; dsize:>30; pcre:"/\.(tk|ml|ga|cf|gq|xyz|top|click|pw|ru|su|ws)\x00/i"; classtype:trojan-activity; sid:1000113; rev:3;)

# DNS amplification response (our IP being abused as a reflector)
# NOTE: Unbound uses DoT on port 853 only - any inbound port 53 is unconditionally suspicious

# IPv4 - port 53 is never legitimate from Unbound (uses 853 only)
alert udp any 53 -> <YOUR_WAN_IP> any (msg:"Unsolicited DNS Response to WAN on Port 53 (IPv4)"; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000119; rev:1;)

# IPv4 - port 853 legitimate only from your DoT resolver
# Replace with your DoT resolver IPs
alert udp ![<YOUR_DOT_RESOLVER_1>,<YOUR_DOT_RESOLVER_2>] 853 -> <YOUR_WAN_IP> any (msg:"Unsolicited DoT Response to WAN from Non-Resolver (IPv4)"; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000116; rev:6;)

# IPv6 - port 53 is never legitimate from Unbound (uses 853 only)
alert udp any 53 -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"Unsolicited DNS Response to WAN on Port 53 (IPv6)"; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000120; rev:1;)

# IPv6 - port 853 legitimate only from your DoT resolver
# Replace with your DoT resolver IPv6 addresses
alert udp ![<YOUR_DOT_RESOLVER_v6_1>,<YOUR_DOT_RESOLVER_v6_2>] 853 -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"Unsolicited DoT Response to WAN from Non-Resolver (IPv6)"; threshold:type threshold, track by_src, count 10, seconds 60; classtype:attempted-dos; sid:1000117; rev:2;)

# === BOTNET / MALWARE ===

# Zeus/Zbot C2 beacon
alert tcp <YOUR_WAN_IP> any -> any any (msg:"Zeus Botnet C2 (IPv4)"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; http_uri; classtype:trojan-activity; sid:1000141; rev:1;)

# Cobalt Strike - default self-signed certificate subject (visible in TLS handshake)
# CN=Major Cobalt Strike is the factory default that lazy operators leave unchanged
alert tcp any any -> any any (msg:"CRITICAL: Cobalt Strike Default Certificate CN"; flow:established; content:"|55 04 03 0e|"; content:"Major Cobalt Strike"; distance:0; within:20; classtype:trojan-activity; priority:1; sid:1001010; rev:4;)

# Cobalt Strike - default team server ports regardless of payload
# Note: 8080 included - adjust if used for legitimate services on your network
alert tcp $HOME_NET any -> $EXTERNAL_NET [50050,2222,4444,8080,8443] (msg:"CRITICAL: Cobalt Strike Default Team Server Port"; flow:to_server,established; threshold:type threshold, track by_dst, count 3, seconds 300; classtype:trojan-activity; priority:1; sid:1001015; rev:1;)

# Cobalt Strike - characteristic short beaconing intervals to same destination
# Repeated small TLS sessions to same host is a strong behavioral indicator
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"CRITICAL: Possible C2 Beaconing Pattern"; flow:to_server,established; dsize:<300; threshold:type both, track by_dst, count 20, seconds 300; classtype:trojan-activity; priority:1; sid:1001016; rev:1;)

# EternalBlue MS17-010 exploit attempt (SMB)
# Windows version string removed to catch all variants not just Win7/2008R2
alert tcp any any -> any 445 (msg:"CRITICAL: EternalBlue SMB Exploit Attempt (MS17-010)"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 ff ff ff ff|"; depth:20; classtype:attempted-admin; priority:1; sid:1001017; rev:2;)

# DoublePulsar backdoor implant check (post-EternalBlue)
alert tcp any any -> any 445 (msg:"CRITICAL: DoublePulsar Backdoor Ping Detected"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; dsize:36; classtype:trojan-activity; priority:1; sid:1001018; rev:1;)

# Metasploit reverse shell (IPv4 WAN source only)
alert tcp <YOUR_WAN_IP> any -> any any (msg:"CRITICAL: Metasploit Reverse Shell"; flow:to_server,established; content:"metasploit"; nocase; classtype:trojan-activity; priority:1; sid:1001011; rev:3;)

# PowerShell Empire C2
alert tcp <YOUR_WAN_IP> any -> any any (msg:"PowerShell Empire C2 Traffic"; flow:to_server,established; content:"GET"; http_method; content:"/admin/get.php"; http_uri; classtype:trojan-activity; sid:1001012; rev:3;)

# Suspicious PowerShell download cradle
alert tcp <YOUR_WAN_IP> any -> any 443 (msg:"Suspicious PowerShell Download Cradle"; flow:to_server,established; content:"IEX"; nocase; content:"(New-Object"; nocase; distance:0; classtype:trojan-activity; sid:1001013; rev:1;)

# Certutil LOLBin abuse (downloading payloads via trusted Windows binary)
alert tcp <YOUR_WAN_IP> any -> any 80 (msg:"Certutil Download Abuse"; flow:to_server,established; content:"certutil"; nocase; content:"-urlcache"; nocase; distance:0; classtype:trojan-activity; sid:1001014; rev:3;)

# === NAS RANSOMWARE DETECTION ===
# NOTE: VPN SMB traffic is decrypted by pfSense and routed internally.
# WAN Snort only sees encrypted VPN traffic, not the SMB inside.
# These rules only fire if raw unencrypted SMB appears on WAN
# which itself indicates a serious problem. Low CPU cost safety net.

# SMB large write burst (ransomware bulk encryption pattern)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware SMB Write Burst"; flow:to_server,established; dsize:>50000; threshold:type threshold, track by_src, count 20, seconds 10; classtype:trojan-activity; priority:1; sid:1001020; rev:1;)

# SMB1 dialect negotiation detection - legacy protocol warning
# Fires only if raw unencrypted SMB1 appears on WAN - unconditionally suspicious
alert tcp any any -> any 445 (msg:"SMB1 Dialect Negotiation Detected"; flow:to_server,established; content:"|ff 53 4d 42|"; depth:4; classtype:policy-violation; sid:1000148; rev:1;)

# Ransomware file extensions
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension (.locked)"; flow:established; content:".locked"; nocase; classtype:trojan-activity; priority:1; sid:1001021; rev:1;)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension (.encrypted)"; flow:established; content:".encrypted"; nocase; classtype:trojan-activity; priority:1; sid:1001022; rev:1;)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension (.crypt)"; flow:established; content:".crypt"; nocase; classtype:trojan-activity; priority:1; sid:1001024; rev:1;)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension (.enc)"; flow:established; content:".enc"; nocase; classtype:trojan-activity; priority:1; sid:1001025; rev:1;)
alert tcp any any -> any 445 (msg:"CRITICAL: Ransomware File Extension (.crypted)"; flow:established; content:".crypted"; nocase; classtype:trojan-activity; priority:1; sid:1001026; rev:1;)

# Ransomware note detection - simplified from PCRE to plain content
# match for ARM CPU efficiency. DECRYPT is the most distinctive
# keyword common across all major ransomware note naming schemes.
alert tcp any any -> any 445 (msg:"CRITICAL: Ransom Note File Detected"; flow:established; content:"DECRYPT"; nocase; classtype:trojan-activity; priority:1; sid:1001023; rev:3;)

# === CREDENTIAL THEFT / DATA EXFILTRATION ===

# Suspicious Pastebin POST (possible credential dump exfiltration)
alert tcp <YOUR_WAN_IP> any -> any 443 (msg:"Suspicious Pastebin Upload"; flow:to_server,established; content:"pastebin.com"; http_header; content:"POST"; http_method; classtype:policy-violation; sid:1001033; rev:1;)

# GitHub raw .exe download (malware staging and distribution)
alert tcp <YOUR_WAN_IP> any -> any 443 (msg:"Suspicious GitHub Raw .exe Download"; flow:to_server,established; content:"raw.githubusercontent.com"; http_header; content:".exe"; http_uri; nocase; classtype:policy-violation; sid:1001042; rev:3;)

# === COVERT CHANNELS ===

# ICMP tunneling (data exfiltration via oversized ping packets)
alert icmp <YOUR_WAN_IP> any -> any any (msg:"ICMP Tunneling Detected (IPv4)"; dsize:>100; threshold:type threshold, track by_src, count 10, seconds 60; classtype:bad-unknown; sid:1001060; rev:1;)
alert icmp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any any (msg:"ICMP Tunneling Detected (IPv6)"; dsize:>100; threshold:type threshold, track by_src, count 10, seconds 60; classtype:bad-unknown; sid:1000130; rev:1;)

# DNS over HTTPS to Google (bypasses local DNS filtering and logging)
alert tcp <YOUR_WAN_IP> any -> any 443 (msg:"DNS Over HTTPS Detected (Google)"; flow:to_server,established; content:"dns.google"; http_header; classtype:policy-violation; sid:1001061; rev:1;)

# DNS over HTTPS to Cloudflare - uncomment to enable if desired
# alert tcp <YOUR_WAN_IP> any -> any 443 (msg:"DNS Over HTTPS (Cloudflare)"; flow:to_server,established; content:"cloudflare-dns.com"; http_header; classtype:policy-violation; sid:1001062; rev:1;)

# DNS over TLS to non-authorized servers
# Replace with your DoT resolver IPs
alert tcp <YOUR_WAN_IP> any -> ![<YOUR_DOT_RESOLVER_1>,<YOUR_DOT_RESOLVER_2>,<YOUR_DOT_RESOLVER_3>,<YOUR_DOT_RESOLVER_4>] 853 (msg:"DNS Over TLS to Non-Authorized Server (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1001063; rev:3;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> ![<YOUR_DOT_RESOLVER_1>,<YOUR_DOT_RESOLVER_2>,<YOUR_DOT_RESOLVER_v6_1>,<YOUR_DOT_RESOLVER_v6_2>] 853 (msg:"DNS Over TLS to Non-Authorized Server (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000131; rev:1;)

# Suspicious MQTT outbound (IoT device C2 communication)
alert tcp <YOUR_WAN_IP> any -> any 1883 (msg:"Outbound MQTT Connection (IoT C2?)"; flow:to_server,established; classtype:policy-violation; sid:1001052; rev:2;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 1883 (msg:"Outbound MQTT Connection (IoT C2?) (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000143; rev:1;)

# Tor2Web gateway access (anonymization service bypass)
alert tcp <YOUR_WAN_IP> any -> any 443 (msg:"Tor2Web Gateway Access"; flow:to_server,established; content:".onion."; http_header; classtype:policy-violation; sid:1001040; rev:1;)

# NTP - authenticated NTP to authorized servers only
# Replace with your NTP server IPs - this example uses NIST servers
# Any inbound NTP not from authorized servers is unconditionally suspicious
alert udp ![<YOUR_NTP_SERVER_1>,<YOUR_NTP_SERVER_2>,<YOUR_NTP_SERVER_3>] any -> <YOUR_WAN_IP> 123 (msg:"NTP from Non-Authorized Source"; classtype:attempted-dos; sid:1001071; rev:3;)

# SSDP/UPnP probe to WAN (should never arrive on WAN)
alert udp any any -> <YOUR_WAN_IP> 1900 (msg:"SSDP UPnP Probe on WAN (IPv4)"; classtype:attempted-recon; sid:1001072; rev:1;)
alert udp any any -> <YOUR_HE_TUNNEL_ENDPOINT> 1900 (msg:"SSDP UPnP Probe on WAN (IPv6)"; classtype:attempted-recon; sid:1000138; rev:1;)

# Log4Shell JNDI injection attempt
alert tcp any any -> <YOUR_WAN_IP> any (msg:"CRITICAL: Log4Shell JNDI Injection Attempt (IPv4)"; flow:to_server,established; content:"${jndi:"; nocase; classtype:web-application-attack; priority:1; sid:1001073; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"CRITICAL: Log4Shell JNDI Injection Attempt (IPv6)"; flow:to_server,established; content:"${jndi:"; nocase; classtype:web-application-attack; priority:1; sid:1000137; rev:1;)

# GRE tunnel to WAN (potential bypass similar to proto 41)
alert ip any any -> <YOUR_WAN_IP> any (msg:"GRE Tunnel Probe to WAN (IPv4)"; ip_proto:47; classtype:policy-violation; sid:1001074; rev:1;)
alert ip any any -> <YOUR_HE_TUNNEL_ENDPOINT> any (msg:"GRE Tunnel Probe to WAN (IPv6)"; ip_proto:47; classtype:policy-violation; sid:1000136; rev:1;)

# DNS-over-QUIC (UDP 853) - not used by Unbound, any outbound is suspicious
# Replace with your DoT resolver IPs
alert udp <YOUR_WAN_IP> any -> ![<YOUR_DOT_RESOLVER_1>,<YOUR_DOT_RESOLVER_2>] 853 (msg:"DNS-over-QUIC to Non-Authorized Server (IPv4)"; classtype:policy-violation; sid:1000134; rev:1;)
alert udp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> ![<YOUR_DOT_RESOLVER_1>,<YOUR_DOT_RESOLVER_2>,<YOUR_DOT_RESOLVER_v6_1>,<YOUR_DOT_RESOLVER_v6_2>] 853 (msg:"DNS-over-QUIC to Non-Authorized Server (IPv6)"; classtype:policy-violation; sid:1000135; rev:1;)

# === REMOTE ACCESS MONITORING ===

# RDP probe to WAN (should never arrive if firewall is default-deny)
# but catches misconfiguration or firewall bypass attempts
alert tcp any any -> <YOUR_WAN_IP> 3389 (msg:"RDP Probe to WAN (IPv4)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1001075; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> 3389 (msg:"RDP Probe to WAN (IPv6)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000139; rev:1;)

# SSH brute force to WAN
alert tcp any any -> <YOUR_WAN_IP> 22 (msg:"SSH Brute Force to WAN (IPv4)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1001076; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> 22 (msg:"SSH Brute Force to WAN (IPv6)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000140; rev:1;)

# Inbound Telnet probe to WAN (should never arrive on default-deny)
alert tcp any any -> <YOUR_WAN_IP> 23 (msg:"Telnet Probe to WAN (IPv4)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000149; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> 23 (msg:"Telnet Probe to WAN (IPv6)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000150; rev:1;)

# Inbound FTP probe to WAN (should never arrive on default-deny)
alert tcp any any -> <YOUR_WAN_IP> 21 (msg:"FTP Probe to WAN (IPv4)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000151; rev:1;)
alert tcp any any -> <YOUR_HE_TUNNEL_ENDPOINT> 21 (msg:"FTP Probe to WAN (IPv6)"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000152; rev:1;)

# Outbound RDP (unusual for a home network, possible lateral movement)
alert tcp <YOUR_WAN_IP> any -> any 3389 (msg:"Outbound RDP Connection (IPv4)"; flow:to_server,established; classtype:policy-violation; sid:1001077; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any 3389 (msg:"Outbound RDP Connection (IPv6)"; flow:to_server,established; classtype:policy-violation; sid:1000142; rev:1;)

# === NON-STANDARD PORT PROTOCOL DETECTION ===

# Telnet handshake on non-standard ports (protocol bypass detection)
alert tcp <YOUR_WAN_IP> any -> any !23 (msg:"Telnet Handshake on Non-Standard Port (IPv4)"; flow:to_server,established; content:"|ff fb|"; depth:2; classtype:policy-violation; sid:1000144; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any !23 (msg:"Telnet Handshake on Non-Standard Port (IPv6)"; flow:to_server,established; content:"|ff fb|"; depth:2; classtype:policy-violation; sid:1000145; rev:1;)

# FTP handshake on non-standard ports (protocol bypass detection)
alert tcp <YOUR_WAN_IP> any -> any !21 (msg:"FTP Handshake on Non-Standard Port (IPv4)"; flow:to_server,established; content:"220 "; depth:4; classtype:policy-violation; sid:1000146; rev:1;)
alert tcp [<YOUR_SECURE_LAN_v6>/64,<YOUR_GUEST_LAN_v6>/64] any -> any !21 (msg:"FTP Handshake on Non-Standard Port (IPv6)"; flow:to_server,established; content:"220 "; depth:4; classtype:policy-violation; sid:1000147; rev:1;)

      <YOUR_WAN_IP> — your static IPv4 WAN address
      <YOUR_WAN_GATEWAY> — your ISP gateway IP
      <YOUR_HE_TUNNEL_LINK> — your Hurricane Electric tunnel /64 prefix
      <YOUR_HE_TUNNEL_ENDPOINT> — your pfSense tunnel endpoint address
      <YOUR_HE_ROUTED_PREFIX> — your HE routed /48 prefix
      <YOUR_SECURE_LAN_v6> — your secure LAN /64
      <YOUR_GUEST_LAN_v6> — your guest WiFi /64
      <YOUR_CARRIER_SUBNET> — your mobile carrier IP range
      <YOUR_VPN_CLIENT_SUBNET> — your VPN client subnet
      <YOUR_LAN_GW_IP> — your LAN gateway/proxy IP
      <YOUR_DOT_RESOLVER_1/2> — your IPv4 DoT resolver IPs
      <YOUR_DOT_RESOLVER_v6_1/2> — your IPv6 DoT resolver addresses
      <YOUR_NTP_SERVER_1/2/3> — your authorized NTP server IPs
      <HE_SERVER_IP> — your Hurricane Electric tunnel server IP

      Make sure to upvote

      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.