Add some simple example rules

rules/example-1-simple.conf

@@ -0,0 +1,14 @@
+# A very simple config for introductory purpose. Not for the real-world!
+
+
+# Network traffic to/from standard system utilities
+# These utils never communicate on the network - if they do, that is a strong indication
+# that something is wrong (rootkit?)
+# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few.
+(fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps)
+
+# System binary is modified or new file is written to standard binary dirs
+evt.type = write and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
+
+# Shell running in container
+container.id != host and proc.name = bash

rules/example-2-macros.conf

@@ -0,0 +1,17 @@
+# A very simple config for introductory purpose. Not for the real-world!
+
+
+# Binary directories
+bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
+
+# Core binaries
+core_binaries: proc.name in (ls, mkdir, cat, less, ps)
+
+# Network traffic to/from standard utility
+(fd.typechar = 4 or fd.typechar=6) and core_binaries
+
+# System binary is modified
+evt.type = write and bin_dir
+
+# Shell running in container
+container.id != host and proc.name = bash

rules/example-3-outputs.conf

@@ -0,0 +1,16 @@
+# A very simple config for introductory purpose. Not for the real-world!
+
+# Binary directories
+bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
+
+# Core binaries
+core_binaries: proc.name in (ls, mkdir, cat, less, ps)
+
+# Network traffic to/from standard utility
+(fd.typechar = 4 or fd.typechar=6) and core_binaries | %evt.time: %proc.name network with %fd.l4proto
+
+# System binary is modified
+evt.type = write and bin_dir | %evt.time: System binary modified (file '%fd.filename' written by process %proc.name)
+
+# Shell running in container
+container.id != host and proc.name = bash | %evt.time: Shell running in container (%proc.name, %container.id)