suricata/rules: remove SVG

ANSSI-FR · Aug 5, 2024 · 69ee082 · 69ee082
1 parent 37e817a
commit 69ee082
Showing 1 changed file with 15 additions and 16 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -50,22 +50,21 @@ alert ip any any -> any any (msg: "A saarCTF flag was placed in our services (pr
 alert ip any any -> any any (msg: "tag"; file.data; content: "|00|asm"; startswith; fast_pattern; filemagic: "WebAssembly (wasm) binary"; metadata: tag WASM, color primary; sid: 1001;)
 alert ip any any -> any any (msg: "tag"; file.data; content: "|28 B5 2F FD|"; startswith; fast_pattern; filemagic: "Zstandard compressed data"; metadata: tag ZST, color primary; sid: 1002;)
 alert ip any any -> any any (msg: "tag"; file.data; content: "|25|PDF-"; depth:10; fast_pattern; filemagic: "PDF document"; metadata: tag PDF, color primary; sid: 1003;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "|3C|svg"; depth:4096; nocase; fast_pattern; filemagic: "SVG Scalable Vector Graphics image"; metadata: tag SVG, color primary; sid: 1004;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "|89|PNG|0d 0a|"; startswith; fast_pattern; filemagic: "PNG image"; metadata: tag PNG, color primary; sid: 1005;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "|FD|7zXZ|00|"; startswith; fast_pattern; filemagic: "XZ compressed data"; metadata: tag XZ, color primary; sid: 1006;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "|ff d8 ff|"; startswith; fast_pattern; filemagic: "JPEG image"; metadata: tag JPG, color primary; sid: 1007;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "7z|BC AF 27 1C|"; startswith; fast_pattern; filemagic: "7-zip archive data"; metadata: tag 7Z, color primary; sid: 1008;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "GIF"; startswith; fast_pattern; filemagic: "GIF image"; metadata: tag GIF, color primary; sid: 1009;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "MSCF|00 00 00 00|"; startswith; fast_pattern; filemagic: "Microsoft cabinet file data"; metadata: tag CAB, color primary; sid: 1010;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "MThd"; startswith; fast_pattern; filemagic: "Standard MIDI data"; metadata: tag MIDI, color primary; sid: 1011;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft Excel 2007+"; metadata: tag XLSX, color primary; sid: 1012;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft PowerPoint 2007+"; metadata: tag PPTX, color primary; sid: 1013;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft Word 2007+"; metadata: tag DOCX, color primary; sid: 1014;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Zip archive"; metadata: tag ZIP, color primary; sid: 1015;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "Vgm|20|"; startswith; fast_pattern; filemagic: "VGM Video Game Music"; metadata: tag VGM, color primary; sid: 1016;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "wOF"; startswith; fast_pattern; filemagic: "Web Open Font"; metadata: tag WOFF, color primary; sid: 1017;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "|7F|ELF|02 01 01 00 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; filemagic: "ELF"; metadata: tag ELF, color primary; sid: 1018;)
-alert ip any any -> any any (msg: "tag"; file.data; content: "f0VMRgIBAQAAAAAAAAAAAA"; metadata: tag ELF B64, color primary; sid: 1019;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "|89|PNG|0d 0a|"; startswith; fast_pattern; filemagic: "PNG image"; metadata: tag PNG, color primary; sid: 1004;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "|FD|7zXZ|00|"; startswith; fast_pattern; filemagic: "XZ compressed data"; metadata: tag XZ, color primary; sid: 1005;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "|ff d8 ff|"; startswith; fast_pattern; filemagic: "JPEG image"; metadata: tag JPG, color primary; sid: 1006;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "7z|BC AF 27 1C|"; startswith; fast_pattern; filemagic: "7-zip archive data"; metadata: tag 7Z, color primary; sid: 1007;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "GIF"; startswith; fast_pattern; filemagic: "GIF image"; metadata: tag GIF, color primary; sid: 1008;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "MSCF|00 00 00 00|"; startswith; fast_pattern; filemagic: "Microsoft cabinet file data"; metadata: tag CAB, color primary; sid: 1009;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "MThd"; startswith; fast_pattern; filemagic: "Standard MIDI data"; metadata: tag MIDI, color primary; sid: 1010;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft Excel 2007+"; metadata: tag XLSX, color primary; sid: 1011;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft PowerPoint 2007+"; metadata: tag PPTX, color primary; sid: 1012;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Microsoft Word 2007+"; metadata: tag DOCX, color primary; sid: 1013;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "PK|03 04|"; startswith; fast_pattern; filemagic: "Zip archive"; metadata: tag ZIP, color primary; sid: 1014;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "Vgm|20|"; startswith; fast_pattern; filemagic: "VGM Video Game Music"; metadata: tag VGM, color primary; sid: 1015;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "wOF"; startswith; fast_pattern; filemagic: "Web Open Font"; metadata: tag WOFF, color primary; sid: 1016;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "|7F|ELF|02 01 01 00 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; filemagic: "ELF"; metadata: tag ELF, color primary; sid: 1017;)
+alert ip any any -> any any (msg: "tag"; file.data; content: "f0VMRgIBAQAAAAAAAAAAAA"; metadata: tag ELF B64, color primary; sid: 1018;)
 
 # Tag HTTP methods and status (sid 2001-3000)
 alert http any any -> any any (msg: "tag"; http.method; content: "POST"; startswith; metadata: tag POST, color info; sid: 2001;)