diff --git a/rules/base.txt b/rules/base.txt
index 1538938f..3d8e8e83 100644
--- a/rules/base.txt
+++ b/rules/base.txt
@@ -204,4 +204,36 @@ user.name = td-agent and outbound and not fluentd_forward_port | %evt.time: Unex
 # http://gearman.org/protocol/
 user.name = gearman and outbound and outbound and not fd.sport = 4730 | %evt.time: Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
 
+# Zookeeper
+zookeeper_port: 2181
 
+# HBase ports
+# http://blog.cloudera.com/blog/2013/07/guide-to-using-apache-hbase-ports/
+hbase_master_port: fd.sport = 60000
+hbase_master_info_port: fd.sport = 60010
+hbase_regionserver_port: fd.sport = 60020
+hbase_regionserver_info_port: fd.sport = 60030
+hbase_rest_port: fd.sport = 8080
+hbase_rest_info_port: fd.sport = 8085
+hbase_regionserver_thrift_port: fd.sport = 9090
+hbase_thrift_info_port: fd.sport = 9095
+
+# If you're not running HBase under the 'hbase' user, adjust first expression
+# in each rule below
+user.name = hbase and inbound and not (hbase_master_port or hbase_master_info_port or hbase_regionserver_port or hbase_regionserver_info_port or hbase_rest_port or hbase_rest_info_port or hbase_regionserver_thrift_port or hbase_thrift_info_port) | %evt.time: Unexpected HBase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = hbase and outbound and not (zookeeper_port or hbase_master_port or hbase_regionserver_port) | %evt.time: Unexpected HBase outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+
+# Kafka ports
+user.name = kafka and inbound and fd.sport != 9092 | %evt.time: Unexpected Kafka inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+# Memcached ports
+user.name = memcached and inbound and fd.sport != 11211 | %evt.time: Unexpected Memcached inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+# MongoDB ports
+mongodb_server_port: fd.sport = 27017
+mongodb_shardserver_port: fd.sport = 27018
+mongodb_configserver_port: fd.sport = 27019
+mongodb_webserver_port: fd.sport = 28017
+
+user.name = mongodb and inbound and not (mongodb_server_port or mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port) | %evt.time: Unexpected MongoDF inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)