SEC ruleset for common exploit patterns and my master thesis
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
Kibana dashboards Update Jul 3, 2014
Thesis Update Jun 10, 2014
guides Minor improvement Oct 31, 2014
rules Minor improvement Oct 31, 2014
scripts script May 8, 2014
syslog daemon test results rename May 8, 2014
.gitattributes Added readme Apr 28, 2014
.gitignore Added readme Apr 28, 2014
LICENSE Initial commit Apr 28, 2014 typos Mar 9, 2018


This repository is stale and only serves as public archive for my master thesis. However, rules developed for the thesis serve as a base for frankenstack correlator. Please see this repo for more up-to-date version of the rules.

Old readme

This SEC ruleset is designed to indentify common attack patterns from server log files. Currently, it supports identification of authentication attacks from various services, general web application injections and some forms of DNS amplification attacks.

NOTE: Please edit action.sec file to match your environment.


For example if your internal network uses range then use the following regular expression:


Simple deployment

cd /opt
git pull
sec --detach --conf=/opt/SagittariuSEC/rules/\*.sec --input=/var/log/\*.log --syslog=daemon

Rules in actions.sec file can be used to block attackers in real time. Some basic scripts for that are provided in Scripts folder. These scripts can be executed over key-based SSH connection on central firewall.

vim /opt/SagittariuSEC/rules/actions.sec
action=logonly; event IP_BLOCKED_$+{remote_IP}; shellcmd (ssh root@firewall.domain.ex 'bash -s' -- <  /opt/SagittariuSEC/scripts/ $+{remote_IP}

Simple ruleset update, custom actions will be preserved

cd /opt/SagittariuSEC/
mv rules/actions.sec /tmp/ && git pull && mv /tmp/actions.sec rules/