From b474f3c10eb8c89f63baa065dc44c460e52207f5 Mon Sep 17 00:00:00 2001
From: aiooss-anssi <alexandre.iooss@ssi.gouv.fr>
Date: Thu, 1 Aug 2024 13:36:51 +0200
Subject: [PATCH] suricata/rules: add missing user-agents

---
 suricata/rules/suricata.rules | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
index 03ba8a8..450449f 100644
--- a/suricata/rules/suricata.rules
+++ b/suricata/rules/suricata.rules
@@ -94,10 +94,13 @@ alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-http
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color info; sid: 3003;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color info; sid: 3004;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color info; sid: 3005;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color info; sid: 3006;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color info; sid: 3007;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color info; sid: 3008;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color info; sid: 3009;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/"; content: " (KHTML, like Gecko) Version/"; distance: 0; content: " Safari/"; distance: 0; http_user_agent; metadata: tag UA SAFARI, color info; sid: 3006;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Mozilla/4.0 (compatible|3B| MSIE 9.0|3B| Windows "; startswith; http_user_agent; metadata: tag UA IE, color info; sid: 3007;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color info; sid: 3008;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color info; sid: 3009;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-urllib3/"; startswith; http_user_agent; metadata: tag UA URLLIB3, color info; sid: 3010;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color info; sid: 3011;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Go-http-client/"; startswith; http_user_agent; metadata: tag UA GO, color info; sid: 3012;)
 
 # Common exploit payloads (sid 4001-5000)
 # content can not use doublequote, ;, : and |, see https://docs.suricata.io/en/suricata-7.0.6/rules/payload-keywords.html
@@ -118,8 +121,8 @@ rejectboth ip any any -> any any (msg: "Found LDAP 'userPassword='"; flow:to_ser
 rejectboth ip any any -> any any (msg: "Found NodeJS serialized function '_$$ND_FUNC$$_'"; flow:to_server; content: "_$$ND_FUNC$$_"; nocase; metadata: tag NODEJS NDFUNC, color warning; sid: 4151;)
 rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/'"; flow:to_server; content: "/dev/tcp/"; metadata: tag DEV TCP, color warning; sid: 4201;)
 rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/' (URL encoded)"; flow:to_server; content: "%2Fdev%2Ftcp"; metadata: tag DEV TCP, color warning; sid: 4202;)
-rejectboth ip any any -> any any (msg: "Found path '/etc/passwd'"; flow:to_server; content: "/etc/passwd"; metadata: tag DEV TCP, color warning; sid: 4203;)
-rejectboth ip any any -> any any (msg: "Found path '/etc/passwd' (URL encoded)"; flow:to_server; content: "%2Fetc%2Fpasswd"; metadata: tag DEV TCP, color warning; sid: 4204;)
+rejectboth ip any any -> any any (msg: "Found path '/etc/passwd'"; flow:to_server; content: "/etc/passwd"; metadata: tag ETC PASSWD, color warning; sid: 4203;)
+rejectboth ip any any -> any any (msg: "Found path '/etc/passwd' (URL encoded)"; flow:to_server; content: "%2Fetc%2Fpasswd"; metadata: tag ETC PASSWD, color warning; sid: 4204;)
 rejectboth ip any any -> any any (msg: "Found path '/var/lib/'"; flow:to_server; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4205;)
 rejectboth ip any any -> any any (msg: "Found path '/var/lib/' (URL encoded)"; flow:to_server; content: "%2Fvar%2Flib%2F"; metadata: tag VARLIB PATH, color warning; sid: 4206;)
 rejectboth ip any any -> any any (msg: "Found path '/var/log/'"; flow:to_server; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4207;)
@@ -167,6 +170,8 @@ rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY'"; flow:to_server; c
 rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded)"; flow:to_server; content: "|25|3C|25|21ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4502;)
 rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded variant)"; flow:to_server; content: "|25|3C|21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4503;)
 rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4504;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "whRU5USVR"; nocase; metadata: tag XML ENTITY, color warning; sid: 4505;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "8IUVOVElUW"; nocase; metadata: tag XML ENTITY, color warning; sid: 4506;)
 
 # Common indicators, but might cause false positives
 alert ip any any -> any any (msg: "tag"; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag SLOW, color warning; sid: 5001;)