SEC ruleset for common exploit patterns and my master thesis
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
Kibana dashboards
Thesis Update Jun 10, 2014
scripts script May 8, 2014
syslog daemon test results rename May 8, 2014
.gitattributes Added readme Apr 28, 2014
.gitignore Added readme Apr 28, 2014


This repository is stale and only serves as public archive for my master thesis. However, rules developed for the thesis serve as a base for frankenstack correlator. Please see this repo for more up-to-date version of the rules.

Old readme

This SEC ruleset is designed to indentify common attack patterns from server log files. Currently, it supports identification of authentication attacks from various services, general web application injections and some forms of DNS amplification attacks.

NOTE: Please edit action.sec file to match your environment.


For example if your internal network uses range then use the following regular expression:


Simple deployment

cd /opt
git pull
sec --detach --conf=/opt/SagittariuSEC/rules/\*.sec --input=/var/log/\*.log --syslog=daemon

Rules in actions.sec file can be used to block attackers in real time. Some basic scripts for that are provided in Scripts folder. These scripts can be executed over key-based SSH connection on central firewall.

vim /opt/SagittariuSEC/rules/actions.sec
action=logonly; event IP_BLOCKED_$+{remote_IP}; shellcmd (ssh root@firewall.domain.ex 'bash -s' -- <  /opt/SagittariuSEC/scripts/ $+{remote_IP}

Simple ruleset update, custom actions will be preserved

cd /opt/SagittariuSEC/
mv rules/actions.sec /tmp/ && git pull && mv /tmp/actions.sec rules/