alert udp $EXTERNAL_NET any
-
> $HOME_NET 53 (msg:"Potential NSTX DNS
Tunneling";
content:"|01 00|"; offset:2; w
ithin:4; content:"cT";
offset:12; depth:3; content:"|00 10 00 01|"; within:255; class
type:bad
-
unknown; sid:1000 2;

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf \automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make libmagic-dev

wget http://www.openinfosecfoundation.org/download/suricata-2.0.7.tar.gz
tar -xvzf suricata-2.0.7.tar.gz
cd suricata-2.0.7

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
sudo ldconfig

sudo mkdir /var/log/suricata
sudo mkdir /etc/suricata

sudo cp classification.config /etc/suricata
sudo cp reference.config /etc/suricata
sudo cp suricata.yaml /etc/suricata

wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
cp -r rules /etc/suricata/

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

sudo suricatasc -iface-stat eth0

sudo service barnyard2 start
sudo service snortd start
sudo service httpd start

alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)

alert tcp any any <> any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; msg:"MasterCard number detected in clear text";content:"mastercard";nocase;sid:9000001;rev:1;)

alert tcp any any <> any any (pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/";msg:"American Express card number detected in clear text";content: "amex";nocase;sid: 9000003;rev:1;)