Awesome Open Source
Awesome Open Source

RuleCat

GONIDS HIDS WorkerPool "" "" , ,

Kafka(Json)

E-MailES KafkaJson

RedisRabbitmq


state:     enable                        //   enable   disable 
rule_id :  sqli_get_01                   //  ID
rule_tag:  sqli                          //  
rule_name: sqli_get_select               //  

rule_type:  or                           //  or detect_list
rule_type:  and                          //  and detect_list
rule_type:  frequency_or                 //  frequency_or detect_listkey
rule_type:  frequency_and                //  frequency_and detect_listkey


detect_list:

  - field : conn.conn_state              //  
    type: re                             //  
    rule: S0                             //  
    ignorecase: false                    //  

  - field : conn.proto                   //  
    type: equal                          //  
    rule : tcp                           //  

  - field : conn.conn_state              // 
    type: in                             // 
    rule : S0                            // 
 
  - field: conn.ip                       // 
    type: customf                        // 
    rule: CheckIP                        //  


key : conn.id\.orig_h                     // frequency key

time_interval:                            // frequency  10s 10
   second: 10                  
   times: 10


threat_level : high                       // 
auth : njcx86                             // 
info : about sql injection attack         // 

e-mail:                                   // 
    - [email protected]
    - [email protected]



{
  "name": {"first": "Tom", "last": "Anderson"},
  "age":37,
  "children": ["Sara","Alex","Jack"],
  "fav.movie": "Deer Hunter",
  "friends": [
    {"first": "Dale", "last": "Murphy", "age": 44, "nets": ["ig", "fb", "tw"]},
    {"first": "Roger", "last": "Craig", "age": 68, "nets": ["fb", "tw"]},
    {"first": "Jane", "last": "Murphy", "age": 47, "nets": ["ig", "tw"]}
  ]
}

"name.last"          >> "Anderson"
"age"                >> 37
"children"           >> ["Sara","Alex","Jack"]
"children.#"         >> 3
"children.1"         >> "Alex"
"child*.2"           >> "Jack"
"c?ildren.0"         >> "Sara"
"fav\.movie"         >> "Deer Hunter"
"friends.#.first"    >> ["Dale","Roger","Jane"]
"friends.1.last"     >> "Craig"


output:
    es:
      enabled : true  
      es_host : ["http://10.10.116.177:9201"]
      version : 7

    kafka:
      enabled : true
      server : ["172.21.129.2:9092"]
      topic: nids-alert
      group_id: nids-alert


    email:
      enabled: false
      email_host: smtp.qq.com
      email_smtp_port: 465
      email_from: [email protected]
      email_username: [email protected]
      email_pwd: 123456


    json:
      enabled : true
      path : /tmp/
      name : nids-alert.log


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Security (8,692
Rule Engine (152
Related Projects