Update lnx_network_service_scanning.yml

2024-11-06 17:35:19 +00:00 · 2020-11-16 01:00:09 +01:00 · 2020-11-16 01:00:09 +01:00 · 2939b33ab5
commit 2939b33ab5
parent ad031d97ee
1 changed files with 9 additions and 3 deletions
--- a/rules/linux/lnx_network_service_scanning.yml
+++ b/rules/linux/lnx_network_service_scanning.yml
@ -19,13 +19,17 @@ logsource:
  product: linux
  definition: 'Detect netcat and filter our listening mode'
 detection:
-  selection:
+  netcat:
    ProcessName|endswith:
      - '/nc'
      - '/netcat'
-  filter:
+  network_scanning_tools:
+    ProcessName|endswith:
+      - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
+      - '/nmap'
+  netcat_listen_flag:
    CommandLine|contains: 'l'
-  condition: selection and not filter
+  condition: (netcat and not netcat_listen_flag) or network_scanning_tools
 ---
 logsource:
  product: linux
@ -37,5 +41,7 @@ detection:
    exe|endswith:
      - '/telnet'
      - '/nmap'
+      - '/netcat'
+      - '/nc'
    key: 'network_connect_4'
    condition: selection