Examples
Ping requests coming from blacklisted ip spaces
net1 = Expr(NET_SRC, '217.4.0.0/18')
net2 = Expr(NET_SRC, '203.0.0.0/24')
proto = Expr(ICMP) and not Expr(ICMP.ECHO) and not Expr(ICMP.ECHO_REPLY)
final = proto and (net1 or net2)
Compile(final)
All outbound SSH, RDP, TELNET, or FTP initiations coming from suspected compromised host, HTTP POST requests to suspicious networkors from suspected compromised host, and all inbound traffic from not-well-known source port to compromised host
host = '10.0.5.13'
propogation_ports = Expr(PORT, 20) or Expr(PORT, 21) or Expr(PORT, 3389)
propogation = Expr(HOST_SRC, host) and propogation_ports
net1 = Expr(NET_DST, '217.4.0.0/18')
net2 = Expr(NET_DST, '203.0.0.0/16')
http_post = Expr(HOST_SRC, host) and (net1 or net2) and Expr(HTTP.POST)
approved_ports = Expr(PORT, 21) or Expr(PORT, 53) or Expr(PORT, 135) or Expr(PORT, 443)
inbound = Expr(HOST_DST, host) and not approved_ports
final = propogation or http_post or inbound
Compile(final)
All DNS traffic not bound for internal DNS server on UDP and all inbound UDP traffic to suspected compromised host on known suspicious ports
host = '10.0.1.23'
# indicator 1 - exfil via DNS
dns_proto = Expr(TCP)
dns_server = Expr(HOST_DST, '10.1.100.5')
dns_approved = dns_server and dns_proto
bad_dns = Expr(HOST_SRC, host) and Expr(PORT_DST, 53) and not dns_approved
# indicator 2 - UDP traffic
port1 = Expr(PORT_DST, 54321) # known suspicious port1
port2 = Expr(PORT_DST, 30003) # known suspicious port2
bad_udp = Expr(HOST_DST, host) and Expr(UDP) and (port1 or port2)
Compile(bad_dns or bad_udp)
All non-SSH, TELNET, RDP, and ICMP traffic coming from 10.0.1.1
src_host_1 = Expr(HOST_SRC, '10.0.1.1')
ports = Expr(PORT, 22) and Expr(PORT, 20) and Expr(PORT, 3389)
final_expr = src_host_1 and not (ports and Expr(ICMP))
Compile(final_expr)
All attempts to change cipher suites within a TLS connection with local database server
tls_port = Expr(PORT, 1433)
tls_v1_2 = Expr(TLS)
sql_server_ip = Expr(HOST, '10.0.1.20')
tls_change_cipher = Expr(TLS.CHANGE_CIPHER)
final = tls_port and tls_v1_2 and sql_server_ip and tls_change_cipher
Compile(final)