⚠️ Pracivo Security Lab — Blue team skills: log analysis, incident response, SIEM, firewall rules, IDS, threat hunting.
IDS/IPS Signature Writing — Snort & Suricata
# SNORT / SURICATA RULE SYNTAX:
# action protocol src_ip src_port -> dst_ip dst_port (options)
# Detect SQL injection:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection Attempt"; flow:to_server,established; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; within:20; classtype:web-application-attack; sid:1000001; rev:1;)
# Detect directory traversal:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Path Traversal Attack"; flow:to_server,established; content:"../"; http_uri; classtype:web-application-attack; sid:1000002; rev:1;)
# Detect reverse shell (bash one-liner):
alert tcp $HOME_NET any -> any any (msg:"Reverse Shell Bash"; flow:established; content:"bash -i"; content:">& /dev/tcp/"; distance:0; classtype:trojan-activity; sid:1000003; rev:1;)
# Detect Nmap SYN scan:
alert tcp any any -> $HOME_NET any (msg:"Nmap SYN Scan"; flags:S; threshold:type threshold,track by_src,count 20,seconds 1; classtype:attempted-recon; sid:1000004; rev:1;)
# Detect Mimikatz:
alert tcp $HOME_NET any -> any any (msg:"Mimikatz Detected"; content:"sekurlsa"; nocase; classtype:trojan-activity; sid:1000005; rev:1;)
# Detect PowerShell encoded command:
alert tcp any any -> $HOME_NET any (msg:"PowerShell Encoded Command"; content:"-EncodedCommand"; nocase; classtype:trojan-activity; sid:1000006; rev:1;)
# Running Suricata:
suricata -c /etc/suricata/suricata.yaml -i eth0
# View alerts:
tail -f /var/log/suricata/fast.log
# Free rule sources:
# Emerging Threats: rules.emergingthreats.net
# Snort Community Rules: snort.org/downloads/community/community-rules.tar.gz