plaintext 7 lines · 1 tab

Suricata IDS rule authoring for suspicious lateral movement

Kai Nakamura Apr 2026
1 tab
alert tcp $HOME_NET any -> $HOME_NET 445 (
  msg:"Possible SMB lateral movement enumeration";
  flow:to_server,established;
  content:"|FF|SMB"; depth:4;
  threshold:type both, track by_src, count 15, seconds 60;
  sid:1000001; rev:1;
)
1 file · plaintext Explain with highlit

Detection engineering works best when the rule reflects a behavior you can explain, not just a string that looked scary once. I use Suricata for network patterns that are specific enough to matter operationally. Rule quality is a maintenance problem as much as a syntax problem.

Share this code

Here's the card — post it anywhere.

Suricata IDS rule authoring for suspicious lateral movement — share card
Link copied