# ICMP Ping
#alert icmp any any -> [$HOME_NET,! 10.0.0.1,192.168.156.1] any (msg: "ICMP Ping Detected!"; sid: 9000001; rev: 1;)

# Nmap
alert tcp any any -> any any (msg:"Nmap SYN Scan Detected"; flags:S; threshold:type both, track by_dst, count 20, seconds 3; sid:1000001; rev:1;)
alert udp any any -> any any (msg:"Nmap UDP Scan Detected"; threshold:type both, track by_dst, count 10, seconds 3; sid:1000002; rev:1;)
alert tcp any any -> any any (msg:"Nmap FIN Scan Detected"; flags:F; threshold:type both, track by_dst, count 10, seconds 3; sid:1000005; rev:1;)
#alert tcp any any -> any any (msg:"Nmap ACK Scan Detected"; flags:A; threshold:type both, track by_dst, count 10, seconds 3; sid:1000007; rev:1;)

# DoS Rule
alert tcp any any -> any any (msg:"Possible SYN Flood Detected"; flags:S; flow:stateless; threshold:type both, track by_dst, count 100, seconds 1; sid:3000001; rev:1;)
#drop tcp any any -> any any (msg:"TCP SYN Flood Detected and Blocked"; flags:S; threshold:type threshold, track by_src, count 100, seconds 1; classtype:attempted-dos; sid: 4000001; rev:1;)

alert udp any any -> any any (msg:"Possible UDP Flood Detected"; flow:stateless; threshold:type both, track by_dst, count 100, seconds 1; sid:3000002; rev:1;)

alert icmp any any -> any any (msg:"Possible ICMP Flood Detected"; icmp_type:8; flow:stateless; threshold:type both, track by_dst, count 100, seconds 1; sid:3000003; rev:1;)
#drop icmp any any -> any any (msg:"ICMP Flood Detected and Blocked"; itype:8; threshold:type threshold, track by_src, count 50, seconds 1; classtype:attempted-dos; sid:4000003; rev:1;)

# Brute Force Rule
alert tcp any any -> any 22 (msg:"SSH Brute Force Detected"; flow:to_server,established; threshold:type both, track by_src, count 5, seconds 10; content:"SSH"; sid:2000001; rev:1;)
alert tcp any any -> any 21 (msg:"FTP Brute Force Detected"; flow:to_server,established; threshold:type both, track by_src, count 5, seconds 10; content:"USER"; nocase; sid:2000002; rev:1;)
alert http any any -> any any (msg:"HTTP Brute Force Detected"; flow:to_server,established; threshold:type both, track by_src, count 5, seconds 10; http.uri; content:"login"; nocase; sid:2000003; rev:1;)
alert http any any -> $HOME_NET any (msg:"Possible Brute Force Attack - Login Page"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/login.php"; nocase; threshold:type threshold, track by_src, count 5, seconds 60; sid:2000004; rev:1;)
alert tcp any any -> $HOME_NET 3389 (msg:"RDP Brute Force Detected"; flow:to_server,established; threshold:type both, track by_src, count 5, seconds 60; sid:2000005; rev:1;)

# Malware Rules
alert http any any -> any any (msg:"EICAR Test File Detected"; content:"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"; sid:5000001; rev:1;)
#alert http any any -> any any (msg:"Malware Downloaded (SHA256 matched)"; filemd5:"a4cd02bde7e6816871911d4ed67ba455"; sid:5000002; rev:1;)
alert http any any -> any any (msg:"MALWARE DETECTED - Known SHA256 Hash"; filesha256:540ecfddd158625e0e15030a6bb23a5a8e2f5b33c453a1b6e3915ed724983896; filestore; sid:5000003; rev:1;)

# Metasploit Kali 
alert tcp any any -> $HOME_NET 4444 (msg:"Reverse TCP Shell Detected"; flow:established,to_server; sid:1000011; rev:1;)

# Windows Rule
alert tcp any any -> any 445 (msg:"ET EXPLOIT Possible ETERNALBLUE SMBv1 Exploit Attempt"; flow:established,to_server; content:"|00 00|"; offset:4; depth:2; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|72 00 00 00|"; offset:8; depth:4; reference:cve,2017-0144; classtype:attempted-admin; sid:7000001; rev:1;)
alert http any any -> any any (msg:"ET TROJAN Possible WannaCry Kill Switch Domain Access"; flow:established,to_server; content:"www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"; http_host; reference:url,blog.malwarebytes.com/threat-analysis/2017/05/the-wannacry-ransomware-kill-switch/; classtype:trojan-activity; sid:7000002; rev:1;)
alert udp any 5355 -> any any (msg:"POTENTIAL LLMNR Poisoning Attempt"; content:"|00 00|"; offset:2; depth:2; content:"|00 01|"; offset:4; depth:2; classtype:attempted-user; sid:7000003; rev:1;)