Load rules: snort -c /usr/local/etc/snort/snort.

lua -R
/usr/local/etc/rules/local.rules

Run Snort detection mode: sudo snort -c /usr/local/etc/snort/snort.lua -R

/usr/local/etc/rules/local.rules -i ens33 -A alert_fast -s 65535 -k none

iptables --flush
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface ens33 -j MASQUERADE
iptables --append FORWARD --in-interface ens37 -j ACCEPT
iptables --append FORWARD --in-interface ens38 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

alert tcp any any -> 192.168.24.200 80 (msg:”SYN Flood"; flags:S; flow: stateless;
threshold: type limit, track by_dst, count 40, seconds 60; GID:1; sid:10000002;
rev:001;)

config daq: afpacket

config daq_mode: inline

include /etc/snort/rules/nhom4.rules
drop tcp any any -> $HOME_NET 80 (msg:"SYN Flood Detected"; flags:S;flow:
stateless; detection_filter: track by_dst, count 40, seconds 60; GID:1;
sid:10000002; rev:001;)

drop tcp any any -> $HOME_NET ![22,80] (msg: "Detect Port Scan!"; GID:1; sid:
10000005; rev: 001;)

drop tcp any any -> $HOME_NET 23 (msg:"TELNET Brute Force Attempt";
flow:established,to_server; detection_filter:track by_src, count 30, seconds 60;
sid:1000001; rev:1;)

drop tcp any any -> $HOME_NET 80 (msg: "CMD Injection Detected (%3B)"; content:
"%3B"; sid: 10000009;)
drop tcp any any -> $HOME_NET 80 (msg: "CMD Injection Detected (%7C)"; content:
"%7C"; sid: 100000010;)
drop tcp any any -> $HOME_NET 80 (msg: "CMD Injection Detected (%26%26)"; content:
"%26%26"; sid: 100000011;)
drop tcp any any -> $HOME_NET 80 (msg: "CMD Injection Detected (%26)"; content:
"%26"; sid: 100000012;)

drop tcp any any -> $HOME_NET 80 (msg: "CMD Injection Detected"; content: "|%3B|
%7C|%26%26|%26|"; sid: 10000009;)

drop tcp any any -> $HOME_NET 80 (msg:"SQL Injection Detected";

flow:to_server,established;uricontent:".pl";pcre:"/\w*(\%27)|\’((\%6F)|o|(\%4F))((\
%72)|r|(\%52))|((\%27)|(\’))union/ix"; classtype:web-application-attack; sid:9099;
rev:5;)

drop tcp any any -> $HOME_NET 80 (msg:"Cross-site scripting attempt";

flow:to_server,established; pcre:"/((\%3C)|<)((\%2F)|\/)*
[a-z0-9\%]+((\%3E)|>)/i"; sid:9000; rev:5;)

<a href="https://www.uit.edu.vn">Deadline</a>

1' union select 1,(select group_concat(user,password) from dvwa.users)#

drop tcp any any -> $HOME_NET 80 (msg: "Advanced SQL Injection UNION SELECT
statement"; flow: to_server, established; pcre:"/(U|u|%75|%55)(N|n|%6E|%4E)(I|i|
%69|%49)(O|o|%6F|%4F)(N|n|%6E|%4E).*(S|s|%73|%53)(E|e|%65|%45)(L|l|%6C|%4C)(E|e|
%65|%45 )(C|c|%63|%43)(T|t|%74|%45).*(F|f|%66|%46)(R|r|%72|%52)(O|o|%6F|%4F)(M|m|
%6D|%4D).*(\-\-|\/\*|\#)/i"; sid: 29; rev: 3;)

(u|%75|%55)(n|%6E|%4E)(i|%69|%49)(o|%6F|%4F)(n|%6E|%4E).*