SigmaHQ/rules/compliance/cleartext_protocols.yml

action: global
title: Cleartext Protocol Usage
description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime
status: stable
date: 2019/03/26
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
---
logsource:
  product: netflow
detection:
  selection:
    destination.port:
    - 8080
    - 21
    - 80
    - 23
    - 50000
    - 1521
    - 27017
    - 1433
    - 11211
    - 3306
    - 15672
    - 5900
    - 5901
    - 5902
    - 5903
    - 5904
  condition: selection
---
logsource:
  product: firewall
detection:
  selection1:
    destination.port:
    - 8080
    - 21
    - 80
    - 23
    - 50000
    - 1521
    - 27017
    - 3306
    - 1433
    - 11211
    - 15672
    - 5900
    - 5901
    - 5902
    - 5903
    - 5904
  selection2:
    action:
    - forward
    - accept
    - 2
  condition: selection1 AND selection2
Fixed global rule syntax 2019-08-05 17:43:15 +00:00			`action: global`
Update cleartext_protocols.yml 2019-08-05 17:47:03 +00:00			`title: Cleartext Protocol Usage`
compliance rules by SOC prime 2019-08-05 16:42:19 +00:00			`description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.`
			`references:`
			`- https://www.cisecurity.org/controls/cis-controls-list/`
			`- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf`
			`- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf`
			`author: Alexandr Yampolskyi, SOC Prime`
			`status: stable`
Fixed global rule syntax 2019-08-05 17:43:15 +00:00			`date: 2019/03/26`
			`falsepositives:`
			`- unknown`
Update cleartext_protocols.yml 2019-08-05 17:47:03 +00:00			`level: low`
Fixed global rule syntax 2019-08-05 17:43:15 +00:00			`tags:`
			`- CSC4`
			`- CSC4.5`
			`- CSC14`
			`- CSC14.4`
			`- CSC16`
			`- CSC16.5`
			`- NIST CSF 1.1 PR.AT-2`
			`- NIST CSF 1.1 PR.MA-2`
			`- NIST CSF 1.1 PR.PT-3`
			`- NIST CSF 1.1 PR.AC-1`
			`- NIST CSF 1.1 PR.AC-4`
			`- NIST CSF 1.1 PR.AC-5`
			`- NIST CSF 1.1 PR.AC-6`
			`- NIST CSF 1.1 PR.AC-7`
			`- NIST CSF 1.1 PR.DS-1`
			`- NIST CSF 1.1 PR.DS-2`
			`- NIST CSF 1.1 PR.PT-3`
			`- NIST CSF 1.1 PR.PT-3`
			`- ISO 27002-2013 A.9.2.1`
			`- ISO 27002-2013 A.9.2.2`
			`- ISO 27002-2013 A.9.2.3`
			`- ISO 27002-2013 A.9.2.4`
			`- ISO 27002-2013 A.9.2.5`
			`- ISO 27002-2013 A.9.2.6`
			`- ISO 27002-2013 A.9.3.1`
			`- ISO 27002-2013 A.9.4.1`
			`- ISO 27002-2013 A.9.4.2`
			`- ISO 27002-2013 A.9.4.3`
			`- ISO 27002-2013 A.9.4.4`
			`- ISO 27002-2013 A.8.3.1`
			`- ISO 27002-2013 A.9.1.1`
			`- ISO 27002-2013 A.10.1.1`
			`- PCI DSS 3.2 2.1`
			`- PCI DSS 3.2 8.1`
			`- PCI DSS 3.2 8.2`
			`- PCI DSS 3.2 8.3`
			`- PCI DSS 3.2 8.7`
			`- PCI DSS 3.2 8.8`
			`- PCI DSS 3.2 1.3`
			`- PCI DSS 3.2 1.4`
			`- PCI DSS 3.2 4.3`
			`- PCI DSS 3.2 7.1`
			`- PCI DSS 3.2 7.2`
			`- PCI DSS 3.2 7.3`
			`---`
compliance rules by SOC prime 2019-08-05 16:42:19 +00:00			`logsource:`
			`product: netflow`
			`detection:`
			`selection:`
			`destination.port:`
			`- 8080`
			`- 21`
			`- 80`
			`- 23`
			`- 50000`
			`- 1521`
			`- 27017`
			`- 1433`
			`- 11211`
			`- 3306`
			`- 15672`
			`- 5900`
			`- 5901`
			`- 5902`
			`- 5903`
			`- 5904`
			`condition: selection`
			`---`
			`logsource:`
			`product: firewall`
			`detection:`
			`selection1:`
			`destination.port:`
			`- 8080`
			`- 21`
			`- 80`
			`- 23`
			`- 50000`
			`- 1521`
			`- 27017`
			`- 3306`
			`- 1433`
			`- 11211`
			`- 15672`
			`- 5900`
			`- 5901`
			`- 5902`
			`- 5903`
			`- 5904`
			`selection2:`
			`action:`
			`- forward`
			`- accept`
			`- 2`
			`condition: selection1 AND selection2`