Merge branch 'master' into devel-sigmac

This commit is contained in:
Thomas Patzke 2017-03-01 00:09:24 +01:00
commit f5616051d7
8 changed files with 41 additions and 6 deletions

BIN
images/Sigma_Schema.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 63 KiB

View File

@ -8,7 +8,7 @@ detection:
log: auth log: auth
pam_user: not null pam_user: not null
pam_rhost: not null pam_rhost: not null
timeframe: last 24h timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3 condition: selection | count(pam_user) by pam_rhost > 3
falsepositives: falsepositives:
- Terminal servers - Terminal servers

View File

@ -0,0 +1,17 @@
title: Multiple Modsecurity Blocks
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
logsource:
product: linux
service: modsecurity
detection:
selection:
- 'mod_security: Access denied'
- 'ModSecurity: Access denied'
- 'mod_security-message: Access denied'
timeframe: 120m
condition: selection | count() > 6
falsepositives:
- Vulnerability scanners
- Frequent attacks if system faces Internet
level: medium

View File

@ -7,8 +7,12 @@ detection:
selection: selection:
log: network log: network
action: denied action: denied
timeframe: last 24h timeframe: 24h
condition: condition:
- selection | count(dst_port) > 10 by src_ip - selection | count(dst_port) > 10 by src_ip
- selection | count(dst_ip) > 10 by src_ip - selection | count(dst_ip) > 10 by src_ip
falsepositives:
- Inventarization systems
- Vulnerability scans
- Penetration testing activity
level: medium level: medium

View File

@ -0,0 +1,14 @@
title: Apache Segmentation Fault
description: Detects a segmentation fault error message caused by a creashing apacke worker process
author: Florian Roth
reference: http://www.securityfocus.com/infocus/1633
logsource:
product: apache
detection:
keywords:
- 'exit signal Segmentation Fault'
condition: keywords
falsepositives:
- Unknown
level: high

View File

@ -22,5 +22,5 @@ detection:
condition: selection and 1 of keywords condition: selection and 1 of keywords
falsepositives: falsepositives:
- Naughty administrators - Naughty administrators
- Penetraion test - Penetration test
level: critical level: critical

View File

@ -12,7 +12,7 @@ detection:
- 4776 - 4776
UserName: not null UserName: not null
SourceWorkstation: not null SourceWorkstation: not null
timeframe: last 24h timeframe: 24h
condition: selection | count(UserName) by SourceWorkstation > 3 condition: selection | count(UserName) by SourceWorkstation > 3
falsepositives: falsepositives:
- Terminal servers - Terminal servers

View File

@ -1,4 +1,4 @@
title: Proceses created by MMC title: Processes created by MMC
status: experimental status: experimental
description: Processes started by MMC could by a sign of lateral movement using MMC application COM object description: Processes started by MMC could by a sign of lateral movement using MMC application COM object
reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/