diff --git a/rules/base.txt b/rules/base.txt
index b6217820..91063027 100644
--- a/rules/base.txt
+++ b/rules/base.txt
@@ -43,18 +43,6 @@ sensitive_files: fd.name contains /etc/passwd or fd.name = /etc/sudoers or fd.di
 inbound: (syscall.type=listen and evt.dir=>) or (syscall.type=accept and evt.dir=<)
 outbound: ((syscall.type=connect and evt.dir=<) or (syscall.type=sendto and evt.dir=>)) and (fd.typechar=4 or fd.typechar=6)
 
-active_mq_port: fd.lport=61616
-active_mq_web_port: fd.lport=8161
-active_mq: active_mq_port or active_mq_web_port
-
-cassandra_thrift_client_port: fd.lport=9160
-cassandra_cql_port: fd.lport=9042
-cassandra_port: cassandra_thrift_client_port or cassandra_cql_port
-
-elasticsearch_cluster_port: fd.lport=9300
-elasticsearch_api_port: fd.lport=9200
-elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
-
 ssh_port: fd.lport=22
 
 # Ssh
@@ -128,5 +116,91 @@ not proc.name in (su, sudo) and (adduser_binaries or login_binaries or passwd_bi
 # Some rootkits hide files in /dev
 (evt.type = creat or evt.arg.flags contains O_CREAT) and fd.directory = /dev and fd.name != /dev/null | %evt.time: file created in /dev (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
 
-# Example: you might enable this on a node running elasticsearch (tailor to your server type)
-# inbound and fd.sockfamily = ip and not (ssh_port or elasticsearch_port) and not fd.rip="127.0.0.1" | %evt.time: bad rip (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+# Elasticsearch connections ports
+elasticsearch_cluster_port: fd.sport=9300
+elasticsearch_api_port: fd.sport=9200
+elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
+user.name = elasticsearch and inbound and not elasticsearch_port | %evt.time: Unexpected Elasticsearch inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = elasticsearch and outbound and not elasticsearch_cluster_port | %evt.time: Unexpected Elasticsearch outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+
+# ActiveMQ connections ports
+activemq_cluster_port: fd.sport=61616
+activemq_web_port: fd.sport=8161
+activemq_port: activemq_web_port or activemq_cluster_port
+user.name = activemq and inbound and not activemq_port | %evt.time: Unexpected ActiveMQ inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = activemq and outbound and not activemq_cluster_port | %evt.time: Unexpected ActiveMQ outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+
+# Cassandra connections ports
+# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
+cassandra_thrift_client_port: fd.sport=9160
+cassandra_cql_port: fd.sport=9042
+cassandra_cluster_port: fd.sport=7000
+cassandra_ssl_cluster_port: fd.sport=7001
+cassandra_jmx_port: fd.sport=7199
+cassandra_port: cassandra_thrift_client_port or cassandra_cql_port or cassandra_cluster_port or cassandra_ssl_cluster_port or cassandra_jmx_port
+
+user.name = cassandra and inbound and not cassandra_port | %evt.time: Unexpected Cassandra inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)  | %evt.time: Unexpected Cassandra outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+# Couchbase connections ports
+# http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html
+# Web Administration Port
+couchbase_web_port: fd.sport=8091
+# Couchbase API Port
+couchbase_api_port: fd.sport=8092
+# Internal/External Bucket Port for SSL
+couchbase_ssl_bucket_port: fd.sport=11207
+# Internal Bucket Port
+couchbase_bucket_port: fd.sport=11209
+# Internal/External Bucket Port
+couchbase_bucket_port_ie: fd.sport=11210
+# Client interface (proxy)
+couchbase_client_interface_port: fd.sport=11211
+# Incoming SSL Proxy
+couchbase_incoming_ssl: fd.sport=11214
+# Internal Outgoing SSL Proxy
+couchbase_outgoing_ssl: fd.sport=11215
+# Internal REST HTTPS for SSL
+couchbase_internal_rest_port: fd.sport=18091
+# Internal CAPI HTTPS for SSL
+couchbase_internal_capi_port: fd.sport=18092
+# Erlang Port Mapper ( epmd )
+couchbase_epmd_port: fd.sport=4369
+# Node data exchange
+couchbase_dataexchange_port: fd.sport>=21100 and fd.sport<=21299
+
+couchbase_internal_port: couchbase_bucket_port or couchbase_epmd_port or couchbase_dataexchange_port
+couchbase_port: couchbase_web_port or couchbase_api_port or couchbase_ssl_bucket_port or couchbase_internal_port or couchbase_bucket_port_ie or couchbase_client_interface_port or couchbase_incoming_ssl or couchbase_outgoing_ssl or couchbase_internal_rest_port or couchbase_internal_capi_port
+
+user.name = couchbase and inbound and not couchbase_port | %evt.time: Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = couchbase and outbound and not couchbase_internal_port | %evt.time: Unexpected Couchbase inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+
+# Couchdb connections ports
+# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
+couchdb_httpd_port: fd.sport=5984
+couchdb_httpd_ssl_port: fd.sport=6984
+# xxx can't tell what clustering ports are used. not writing rules for this
+# yet.
+
+# Etcd connections ports
+etcd_client_port: fd.sport=2379
+etcd_peer_port: fd.sport=2380
+# need to double-check which user etcd runs as
+user.name = etcd and inbound and not (etcd_client_port or etcd_peer_port) | %evt.time: Unexpected Etcd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = etcd and outbound and not couchbase_internal_port | %evt.time: Unexpected Etcd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+
+# Fluentd connections ports
+fluentd_http_port: fd.sport=9880
+fluentd_forward_port: fd.sport=24224
+user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port) | %evt.time: Unexpected Fluentd inbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+user.name = td-agent and outbound and not fluentd_forward_port | %evt.time: Unexpected Fluentd outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+# Gearman ports
+# http://gearman.org/protocol/
+user.name = gearman and outbound and outbound and not fd.sport = 4730 | %evt.time: Unexpected Gearman outbound port (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+