Panduan lengkap membuat, mengelola, dan mengoptimalkan Suricata rules untuk mendeteksi ancaman dan aktivitas jaringan di NMSLEX.
Setiap rule terdiri dari header (action, protocol, source, destination) dan options (detection logic).
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Detect suspicious user-agent"; content:"evil-bot"; http_user_agent; sid:1000001; rev:1;)alert | Generate alert + log event |
pass | Skip packet (whitelist) |
drop | Drop packet (IPS mode) |
reject | Drop + send RST/ICMP unreachable |
tcp udp icmp | Layer 4 |
http dns tls | Layer 7 (app) |
ssh ftp smtp | Layer 7 (app) |
ip | Catch-all Layer 3 |
-> | Source ke destination (unidirectional) |
<> | Kedua arah (bidirectional) |
$HOME_NET | Network yang dimonitor |
$EXTERNAL_NET | External networks |
$HTTP_SERVERS | Web servers |
$DNS_SERVERS | DNS servers |
Copy-paste rules ini ke file custom rules kamu dan sesuaikan SID.
# Deteksi percobaan SQL injection pada HTTP request
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"NMSLEX SQL Injection attempt";
flow:established,to_server;
content:"UNION"; nocase;
content:"SELECT"; nocase;
distance:0;
classtype:web-application-attack;
sid:1000001; rev:1;
)# Alert jika DNS query memiliki subdomain sangat panjang (tunneling indicator)
alert dns $HOME_NET any -> any any (
msg:"NMSLEX Possible DNS Tunneling";
dns.query; content:".";
pcre:"/^[a-z0-9]{30,}\./i";
threshold:type both, track by_src, count 10, seconds 60;
classtype:trojan-activity;
sid:1000002; rev:1;
)# Deteksi SYN scan — banyak SYN tanpa ACK dari source yang sama
alert tcp $EXTERNAL_NET any -> $HOME_NET any (
msg:"NMSLEX Possible SYN Port Scan";
flags:S,12;
threshold:type both, track by_src, count 20, seconds 10;
classtype:attempted-recon;
sid:1000003; rev:1;
)# Alert saat TLS handshake menggunakan self-signed cert (issuer = subject)
alert tls any any -> $HOME_NET any (
msg:"NMSLEX Self-signed TLS certificate detected";
tls.cert_issuer; content:"CN=";
tls.cert_subject; content:"CN=";
classtype:policy-violation;
sid:1000004; rev:1;
)# Alert jika ada banyak koneksi SSH dari satu source dalam waktu singkat
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (
msg:"NMSLEX SSH Brute Force attempt";
flow:to_server;
flags:S,12;
threshold:type both, track by_src, count 5, seconds 30;
classtype:attempted-admin;
sid:1000005; rev:1;
)# Deteksi percobaan XSS pada HTTP request
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"NMSLEX Possible XSS attack";
flow:established,to_server;
content:"<script"; nocase;
http_uri;
classtype:web-application-attack;
sid:1000006; rev:1;
)# Deteksi ICMP flood (DDoS via ping)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (
msg:"NMSLEX ICMP Flood detected";
itype:8;
threshold:type both, track by_src, count 50, seconds 10;
classtype:attempted-dos;
sid:1000007; rev:1;
)# Deteksi koneksi ke mining pool
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"NMSLEX Crypto Mining Pool connection";
flow:established,to_server;
content:"stratum+tcp://"; nocase;
classtype:policy-violation;
sid:1000008; rev:1;
)
alert dns $HOME_NET any -> any any (
msg:"NMSLEX Crypto Mining DNS lookup";
dns.query; content:"pool."; nocase;
pcre:"/(nanopool|ethermine|f2pool|mining|hashrate)/i";
classtype:policy-violation;
sid:1000009; rev:1;
)Flow control, multi-content matching, dan optimasi performa rules.
Gunakan flow untuk menentukan arah dan state koneksi:
# Hanya match pada established connection ke server
flow:established,to_server;
# Hanya match pada response dari server
flow:established,to_client;
# Deteksi packet pertama (SYN)
flow:stateless;Chain multiple content matches dengan distance dan within:
alert http any any -> any any (
msg:"Chained content match";
content:"POST"; http_method;
content:"/upload"; http_uri;
content:"filename="; http_client_body;
content:".php"; distance:0; within:50;
sid:1000010; rev:1;
)Track state across packets untuk deteksi multi-stage attack:
# Rule 1: Set bit saat login gagal
alert http any any -> any any (
msg:"Login failed";
content:"401"; http_stat_code;
flowbits:set,login_failed;
flowbits:noalert;
sid:1000011; rev:1;
)
# Rule 2: Alert jika brute force setelah login gagal
alert http any any -> any any (
msg:"Brute force after failed login";
flowbits:isset,login_failed;
threshold:type both, track by_src, count 3, seconds 60;
sid:1000012; rev:1;
)http bukan tcp jika mungkin# fast_pattern untuk optimasi
content:"specificLongString"; fast_pattern;Cara menambahkan, mengaktifkan, dan mengelola custom rules di server NMSLEX.
sudo nano /etc/suricata/rules/custom.rulesTambahkan rules kamu di file ini. Satu rule per baris.
# Pastikan di bagian rule-files:
rule-files:
- suricata.rules
- /etc/suricata/rules/custom.rulesdeploy.sh otomatis menambahkan ini saat install. Cek jika manual.
# Test rules tanpa restart Suricata
sudo suricata -T -c /etc/suricata/suricata.yaml
# Output yang benar:
# Notice: suricata: Configuration provided was successfully loaded.# Hot reload — tidak interrupt traffic monitoring
sudo suricatasc -c reload-rules
# Atau restart penuh jika perlu
sudo systemctl restart suricataSetelah rules aktif, alert akan muncul di halaman Alerts pada NMSLEX Dashboard. Gunakan filter untuk mencari berdasarkan SID atau message.
| Range | Penggunaan |
|---|---|
1–999999 | Reserved untuk Emerging Threats / Suricata official rules |
1000000–1999999 | Custom rules — gunakan range ini |
2000000+ | Emerging Threats community rules |
💡 Tip: Buat numbering system, misal 100XYYY dimana X = kategori (1=web, 2=dns, 3=ssh, dst) dan YYY = nomor urut.
Proteksi jaringan kamu dengan deteksi yang tepat sasaran.