split global cleartext_protocols.yml

rules/compliance/firewall_cleartext_protocols.yml

@@ -1,5 +1,5 @@
-action: global
 title: Cleartext Protocol Usage
+id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
 status: stable
 description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
     is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
@@ -9,9 +9,6 @@ references:
     - https://www.cisecurity.org/controls/cis-controls-list/
     - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
     - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
-falsepositives:
-    - unknown
-level: low
 # tags:
     # - CSC4
     # - CSC4.5
@@ -55,32 +52,6 @@ level: low
     # - PCI DSS 3.2 7.1
     # - PCI DSS 3.2 7.2
     # - PCI DSS 3.2 7.3
----
-id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
-logsource:
-    product: netflow
-detection:
-    selection:
-        destination.port:
-            - 8080
-            - 21
-            - 80
-            - 23
-            - 50000
-            - 1521
-            - 27017
-            - 1433
-            - 11211
-            - 3306
-            - 15672
-            - 5900
-            - 5901
-            - 5902
-            - 5903
-            - 5904
-    condition: selection
----
-id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
 logsource:
     category: firewall
 detection:
@@ -108,3 +79,6 @@ detection:
             - accept
             - 2
     condition: selection1 AND selection2
+falsepositives:
+    - unknown
+level: low

rules/compliance/netflow_cleartext_protocols.yml

@@ -0,0 +1,79 @@
+title: Cleartext Protocol Usage
+id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
+status: stable
+description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
+    is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
+author: Alexandr Yampolskyi, SOC Prime
+date: 2019/03/26
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+# tags:
+    # - CSC4
+    # - CSC4.5
+    # - CSC14
+    # - CSC14.4
+    # - CSC16
+    # - CSC16.5
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - NIST CSF 1.1 PR.AC-1
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AC-5
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 PR.DS-1
+    # - NIST CSF 1.1 PR.DS-2
+    # - ISO 27002-2013 A.9.2.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - ISO 27002-2013 A.8.3.1
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.10.1.1
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
+    # - PCI DSS 3.2 8.8
+    # - PCI DSS 3.2 1.3
+    # - PCI DSS 3.2 1.4
+    # - PCI DSS 3.2 4.3
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
+logsource:
+    product: netflow
+detection:
+    selection:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 1433
+            - 11211
+            - 3306
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    condition: selection
+falsepositives:
+    - unknown
+level: low