mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
Merge branch 'master' into devel-sigmac
This commit is contained in:
commit
f5616051d7
BIN
images/Sigma_Schema.png
Normal file
BIN
images/Sigma_Schema.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 63 KiB |
@ -8,7 +8,7 @@ detection:
|
|||||||
log: auth
|
log: auth
|
||||||
pam_user: not null
|
pam_user: not null
|
||||||
pam_rhost: not null
|
pam_rhost: not null
|
||||||
timeframe: last 24h
|
timeframe: 24h
|
||||||
condition: selection | count(pam_user) by pam_rhost > 3
|
condition: selection | count(pam_user) by pam_rhost > 3
|
||||||
falsepositives:
|
falsepositives:
|
||||||
- Terminal servers
|
- Terminal servers
|
||||||
|
17
rules/linux/modsecurity/modsec_mulitple_blocks.yml
Normal file
17
rules/linux/modsecurity/modsec_mulitple_blocks.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
title: Multiple Modsecurity Blocks
|
||||||
|
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
|
||||||
|
logsource:
|
||||||
|
product: linux
|
||||||
|
service: modsecurity
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
- 'mod_security: Access denied'
|
||||||
|
- 'ModSecurity: Access denied'
|
||||||
|
- 'mod_security-message: Access denied'
|
||||||
|
timeframe: 120m
|
||||||
|
condition: selection | count() > 6
|
||||||
|
falsepositives:
|
||||||
|
- Vulnerability scanners
|
||||||
|
- Frequent attacks if system faces Internet
|
||||||
|
level: medium
|
||||||
|
|
@ -7,8 +7,12 @@ detection:
|
|||||||
selection:
|
selection:
|
||||||
log: network
|
log: network
|
||||||
action: denied
|
action: denied
|
||||||
timeframe: last 24h
|
timeframe: 24h
|
||||||
condition:
|
condition:
|
||||||
- selection | count(dst_port) > 10 by src_ip
|
- selection | count(dst_port) > 10 by src_ip
|
||||||
- selection | count(dst_ip) > 10 by src_ip
|
- selection | count(dst_ip) > 10 by src_ip
|
||||||
|
falsepositives:
|
||||||
|
- Inventarization systems
|
||||||
|
- Vulnerability scans
|
||||||
|
- Penetration testing activity
|
||||||
level: medium
|
level: medium
|
14
rules/web/web_apache_segfault.yml
Normal file
14
rules/web/web_apache_segfault.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
title: Apache Segmentation Fault
|
||||||
|
description: Detects a segmentation fault error message caused by a creashing apacke worker process
|
||||||
|
author: Florian Roth
|
||||||
|
reference: http://www.securityfocus.com/infocus/1633
|
||||||
|
logsource:
|
||||||
|
product: apache
|
||||||
|
detection:
|
||||||
|
keywords:
|
||||||
|
- 'exit signal Segmentation Fault'
|
||||||
|
condition: keywords
|
||||||
|
falsepositives:
|
||||||
|
- Unknown
|
||||||
|
level: high
|
||||||
|
|
@ -22,5 +22,5 @@ detection:
|
|||||||
condition: selection and 1 of keywords
|
condition: selection and 1 of keywords
|
||||||
falsepositives:
|
falsepositives:
|
||||||
- Naughty administrators
|
- Naughty administrators
|
||||||
- Penetraion test
|
- Penetration test
|
||||||
level: critical
|
level: critical
|
||||||
|
@ -12,7 +12,7 @@ detection:
|
|||||||
- 4776
|
- 4776
|
||||||
UserName: not null
|
UserName: not null
|
||||||
SourceWorkstation: not null
|
SourceWorkstation: not null
|
||||||
timeframe: last 24h
|
timeframe: 24h
|
||||||
condition: selection | count(UserName) by SourceWorkstation > 3
|
condition: selection | count(UserName) by SourceWorkstation > 3
|
||||||
falsepositives:
|
falsepositives:
|
||||||
- Terminal servers
|
- Terminal servers
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
title: Proceses created by MMC
|
title: Processes created by MMC
|
||||||
status: experimental
|
status: experimental
|
||||||
description: Processes started by MMC could by a sign of lateral movement using MMC application COM object
|
description: Processes started by MMC could by a sign of lateral movement using MMC application COM object
|
||||||
reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
|
reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
|
||||||
|
Loading…
Reference in New Issue
Block a user