Merge branch 'master' into devel-sigmac

2024-11-08 10:13:57 +00:00 · 2017-03-01 00:09:24 +01:00 · 2017-03-01 00:09:24 +01:00 · f5616051d7
commit f5616051d7
parent e0f813ebbb 001bed0c45
8 changed files with 41 additions and 6 deletions
--- a/images/Sigma_Schema.png
+++ b/images/Sigma_Schema.png
--- a/rules/linux/lnx_susp_failed_logons_single_source.yml
+++ b/rules/linux/lnx_susp_failed_logons_single_source.yml
@ -8,7 +8,7 @@ detection:
        log: auth
        pam_user: not null
        pam_rhost: not null
-    timeframe: last 24h 
+    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
    - Terminal servers
--- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml
+++ b/rules/linux/modsecurity/modsec_mulitple_blocks.yml
@ -0,0 +1,17 @@
+title: Multiple Modsecurity Blocks
+description: Detects multiple blocks by the mod_security module (Web Application Firewall) 
+logsource:
+    product: linux
+    service: modsecurity
+detection:
+    selection:
+        - 'mod_security: Access denied'
+        - 'ModSecurity: Access denied'
+        - 'mod_security-message: Access denied'
+    timeframe: 120m 
+    condition: selection | count() > 6
+falsepositives:
+    - Vulnerability scanners
+    - Frequent attacks if system faces Internet
+level: medium
+
--- a/rules/network/net_susp_network_scan.yml
+++ b/rules/network/net_susp_network_scan.yml
@ -7,8 +7,12 @@ detection:
    selection:
        log: network
        action: denied
-    timeframe: last 24h
+    timeframe: 24h
    condition:
        - selection | count(dst_port) > 10 by src_ip
        - selection | count(dst_ip) > 10 by src_ip
-level: medium
+falsepositives:
+    - Inventarization systems
+    - Vulnerability scans
+    - Penetration testing activity
+level: medium
--- a/rules/web/web_apache_segfault.yml
+++ b/rules/web/web_apache_segfault.yml
@ -0,0 +1,14 @@
+title: Apache Segmentation Fault
+description: Detects a segmentation fault error message caused by a creashing apacke worker process 
+author: Florian Roth
+reference: http://www.securityfocus.com/infocus/1633
+logsource:
+    product: apache
+detection:
+    keywords:
+        - 'exit signal Segmentation Fault'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@ -22,5 +22,5 @@ detection:
    condition: selection and 1 of keywords
 falsepositives:
    - Naughty administrators
-    - Penetraion test
+    - Penetration test
 level: critical
--- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
@ -12,7 +12,7 @@ detection:
            - 4776
        UserName: not null
        SourceWorkstation: not null
-    timeframe: last 24h 
+    timeframe: 24h 
    condition: selection | count(UserName) by SourceWorkstation > 3
 falsepositives:
    - Terminal servers
--- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml
+++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml
@ -1,4 +1,4 @@
-title: Proceses created by MMC 
+title: Processes created by MMC 
 status: experimental
 description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
 reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/