# Snort rule — זיהוי ניסיון SQL Injection
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (
    msg:"SQL Injection UNION SELECT";
    flow:to_server,established;
    content:"UNION"; nocase;
    content:"SELECT"; nocase;
    within:50;
    pcre:"/UNION\s+ALL\s+SELECT/i";
    classtype:web-application-attack;
    sid:1000042;
    rev:1;
)

# Suricata rule — זיהוי C2 communication ב-DNS
alert dns any any -> any any (
    msg:"Possible DNS C2 long subdomain";
    dns.query;
    pcre:"/[a-z0-9]{30,}\.[a-z]{2,}/i";
    threshold:type limit, track by_src, count 1, seconds 60;
    sid:2000001;
    rev:1;
)

Blue Team — מבוא להגנה

Blue Team — מבוא להגנה

Blue Team — מבוא להגנה