valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,925 Commits 20 Branches 25 Tags 21 MiB
7a1d48cccd
Commit Graph

382 Commits

Author SHA1 Message Date
Florian Roth
3f0040b983
Removed duplicate status field 2018-07-16 15:55:31 -06:00
Florian Roth
429474b6d6
Merge pull request #113 from megan201296/patch-9 
fixed typo
 2018-07-16 15:38:52 -06:00
megan201296
02ea2cf923
fixed typo 2018-07-16 16:20:33 -05:00
megan201296
60310e94c6
fixed typo 2018-07-16 16:13:24 -05:00
Nik Seetharaman
3630386230 Add sysmon_cmstp_execution 2018-07-16 02:53:41 +03:00
Florian Roth
70ab83eb65
Merge pull request #109 from megan201296/patch-6 
Fixed typo
 2018-07-14 18:31:21 -06:00
megan201296
be7a3b0774
Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
megan201296
a6455cc612
typo fix 2018-07-13 18:48:36 -05:00
megan201296
8944be1efd
Update sysmon_susp_driver_load.yml 2018-07-13 18:36:12 -05:00
Florian Roth
57727d2397
Merge pull request #107 from megan201296/typo-fixes 
Typo fixes
 2018-07-10 10:29:10 -06:00
megan201296
24d2d0b258
Fixed typo 2018-07-10 09:14:37 -05:00
megan201296
d6ea0a49fc
Fixed typoes 2018-07-10 09:14:07 -05:00
megan201296
3ec67393cd
Fixed typo 2018-07-10 09:13:41 -05:00
megan201296
b0bc3b66ed
Fixed typo 2018-07-09 13:32:16 -05:00
megan201296
120479abb7
removed duplicates 2018-07-09 12:32:41 -05:00
megan201296
c4bd267151
Fixed typo 2018-07-09 12:02:42 -05:00
megan201296
a7ccfcb50d
Fixed spelling mistake 2018-07-09 09:13:31 -05:00
Florian Roth
c8fef4d093
fix: removed unnecessary lists 2018-07-07 15:43:56 -06:00
Florian Roth
dea019f89d fix: some threat levels adjusted 2018-07-07 13:00:23 -06:00
yt0ng
6a014a3dc8
MSHTA spwaned by SVCHOST as seen in LethalHTA 
"Furthermore it can be detected by an mshta.exe process spawned by svchost.exe."
 2018-07-06 19:52:58 +02:00
Florian Roth
ed470feb21
Merge pull request #99 from yt0ng/master 
Detects ImageLoad by uncommon Image
 2018-07-06 10:11:02 -06:00
yt0ng
b21afc3bc8
user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
yt0ng
f84c33d005
Known powershell scripts names for exploitation 
Detects the creation of known powershell scripts for exploitation
 2018-07-04 17:24:18 +02:00
Florian Roth
7867838540 fix: typo in rule description 2018-07-03 05:05:44 -06:00
Florian Roth
e7465d299f fix: false positive with MsMpEng.exe and svchost.exe as child process 2018-07-03 05:05:44 -06:00
yt0ng
42941ee105
Detects ImageLoad by uncommon Image 
Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008
 2018-07-01 15:47:17 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Florian Roth
a61052fc0a Rule fixes 2018-06-27 18:47:52 +02:00
Florian Roth
fc72bd16af Fixed bugs 2018-06-27 09:20:41 +02:00
Florian Roth
f4b150def8 Rule: Powershell remote thread creation in Rundll32 2018-06-25 15:23:19 +02:00
Florian Roth
1a1011b0ad
Merge pull request #96 from yt0ng/master 
Detects the creation of a schtask via PowerSploit Default Configuration
 2018-06-23 17:15:14 +02:00
yt0ng
c59d0c7dca
Added additional options 2018-06-23 15:54:31 +02:00
yt0ng
cc3fd9f5d0
Detects the creation of a schtask via PowerSploit Default Configuration 
8690399ef7/Persistence/Persistence.psm1
 2018-06-23 15:45:58 +02:00
Florian Roth
d1d4473505 Rule: ADS with executable 
https://twitter.com/0xrawsec/status/1002478725605273600
 2018-06-03 02:08:57 +02:00
Florian Roth
49877a6ed0 Moved and renamed rule 2018-04-18 16:53:11 +02:00
Markus Härnvi
cf237cf658
"author" should be a string and not a list, according to the specification 2018-04-16 23:42:51 +02:00
Florian Roth
d8bbf26f2c Added msiexec to rule in order to cover new threats 
https://twitter.com/DissectMalware/status/984252467474026497
 2018-04-12 09:12:50 +02:00
Florian Roth
58517907ad Improved rule to provide support for for old sysmon \REGISTRY syntax 2018-04-11 20:15:17 +02:00
Florian Roth
0ffd226293 Moved new rule to sysmon folder 2018-04-11 20:11:54 +02:00
Florian Roth
52d405bb1b Improved shell spawning rule 2018-04-11 20:09:42 +02:00
Florian Roth
a9c7fe202e Rule: Windows shell spawning suspicious program 2018-04-09 08:37:30 +02:00
Florian Roth
e53826e167 Extended Sysmon Office Shell rule 2018-04-09 08:37:30 +02:00
Thomas Patzke
f113832c04
Merge pull request #69 from jmallette/rules 
Create cmdkey recon rule
 2018-04-08 23:23:30 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
dacc6ae3d3 Fieldname case: Commandline -> CommandLine 2018-03-25 23:08:28 +02:00
Florian Roth
e141a834ff Rule: Ping hex IP address 
https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
 2018-03-23 17:00:00 +01:00
Florian Roth
97204d8dc0 Renamed rule 2018-03-20 15:04:11 +01:00
Florian Roth
e9fcfcba7f Improved NetNTLM downgrade rule 2018-03-20 15:03:55 +01:00
Florian Roth
a7eb4d3e34 Renamed rule 2018-03-20 11:12:35 +01:00
Florian Roth
b84bbd327b Rule: NetNTLM Downgrade Attack 
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 2018-03-20 11:07:21 +01:00
Florian Roth
a6d293e31d Improved tscon rule 2018-03-20 10:54:04 +01:00
Florian Roth
8fb6bc7a8a Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
Florian Roth
af8be8f064 Several rule updates 2018-03-19 16:36:15 +01:00
Florian Roth
648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 2018-03-17 19:14:13 +01:00
Karneades
49c12f1df8
Add missing binaries 2018-03-16 10:52:43 +01:00
Florian Roth
a257b7d9d7 Rule: Stickykey improved 2018-03-16 09:10:07 +01:00
Florian Roth
0460e7f18a Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
Florian Roth
f5494c6f5f Rule: StickyKey-ike backdoor usage 2018-03-15 19:53:34 +01:00
Florian Roth
5ae5c9de19 Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
jmallette
aff46be8a3
Create cmdkey recon rule 2018-03-08 13:25:05 -05:00
Thomas Patzke
8ee24bf150 WMI persistence rules derived from blog article 
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/#so-to-summarize
 2018-03-07 23:05:10 +01:00
Thomas Patzke
8041f77abd Merged similar rules 2018-03-06 23:19:11 +01:00
Thomas Patzke
84645f4e59 Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
Florian Roth
1001afb038 Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
Florian Roth
25dc3e78be Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
Florian Roth
9020a9aa32 Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
Florian Roth
5d763581fa Adding status "experimental" to that rule 2018-02-22 13:28:01 +01:00
Florian Roth
0be687d245 Rule: Detect CVE-2017-0261 exploitation 2018-02-22 13:27:20 +01:00
Florian Roth
fa4dbc0f2e Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
285f5bab4f Removed duplicate string 2017-12-11 09:31:54 +01:00
Florian Roth
78854b79c4 Rule: System File Execution Location Anomaly 2017-11-27 14:09:22 +01:00
Florian Roth
93fbc63691 Rule to detect droppers exploiting CVE-2017-11882 2017-11-23 00:58:31 +01:00
Florian Roth
59e5b3b999 Sysmon: Named Pipe detection for APT malware 2017-11-06 14:24:42 +01:00
Florian Roth
37cea85072 Rundll32.exe suspicious network connections 2017-11-04 14:44:30 +01:00
Thomas Patzke
720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke
27227855b5 Merge branch 'devel-sigmac' 2017-10-29 23:59:49 +01:00
Thomas Patzke
012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
Florian Roth
b7e8000ccb Improved Office Shell rule > added 'schtasks.exe' 2017-10-25 23:53:45 +02:00
Thomas Patzke
d7c659128c Removed unneeded array 2017-10-18 15:12:29 +02:00
Florian Roth
deea224421 Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
Florian Roth
00baa4ed40 Executables Started in Suspicious Folder 2017-10-14 23:23:04 +02:00
Florian Roth
358d1ffba0 Executables Started in Suspicious Folder 2017-10-14 23:22:20 +02:00
Florian Roth
20f9dbb31c CVE-2017-8759 - Winword.exe > csc.exe 2017-09-15 15:49:56 +02:00
Thomas Patzke
986c9ff9b7 Added field names to first rules 2017-09-12 23:54:04 +02:00
Thomas Patzke
68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
 2017-09-10 22:52:37 +02:00
Florian Roth
bfe8378455 Rule: Suspicious svchost.exe process 2017-08-31 11:07:45 +02:00
secman-pl
9768f275d0 Update sysmon_susp_regsvr32_anomalies 
Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. 
example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
SCT script code:
var objShell = new ActiveXObject("WScript.shell");
 2017-08-29 12:21:47 +02:00
Florian Roth
f3f2c14b3a Added reference to regsvr32 rule 2017-08-29 08:45:29 +02:00
Florian Roth
55f4c37e22 Rule: Microsoft Binary Github Communication 2017-08-24 18:27:40 +02:00
Hans-Martin Münch
09e754a8f9 Small Typo fix 2017-08-22 10:56:25 +02:00
Florian Roth
59821d1bcb Office Shell: Reference added to new entry 2017-08-22 10:04:22 +02:00
Florian Roth
8f4a780c3b Added regsvr32.exe to suspicious child processes 2017-08-20 23:14:41 +02:00
Thomas Patzke
4578756cfd Merge remote-tracking branch 'origin/master' 2017-08-05 00:35:24 +02:00
Thomas Patzke
03985288f6 Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00
Florian Roth
edb52e098a Extended hh.exe in Office Shell detection 
https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
 2017-08-04 09:18:55 +02:00
Thomas Patzke
5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Thomas Patzke
84418d2045 Merged builtin/win_susp_certutil_activity.yml with Sysmon rule 2017-08-02 00:04:28 +02:00
Florian Roth
cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) 
> the -urlcache is the relevant command
 2017-07-20 12:54:55 -06:00
Florian Roth
3a55b31da2 certutil file download - more generic approach 2017-07-20 12:48:47 -06:00
Florian Roth
b85d96e458 certutil detections (renamed, extended) 
see https://twitter.com/subTee/status/888102593838362624
 2017-07-20 12:38:10 -06:00
Florian Roth
8f525d2f01 Wannacry Rules Reorg and Renaming 2017-06-28 09:08:53 +02:00
Florian Roth
576981820b Moved PlugX rule & used builtin ID 4688 for another rule 2017-06-12 11:02:49 +02:00
Florian Roth
371b41acd9 Improved regsvr32.exe whitelisting bypass rule 
thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
 2017-06-07 13:46:36 +02:00
Florian Roth
e5ad1b2f84 Improved regsvr32 whitelisting bypass rule 2017-06-07 12:02:55 +02:00
Florian Roth
1fd7a92e87 Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 11:43:25 +02:00
Florian Roth
0c222134b9 Extended malware script dropper rule 2017-05-25 14:59:16 +02:00
Florian Roth
0685e297c8 Improved Suspicious Net.exe Execution Rule 2017-05-25 12:44:56 +02:00
Florian Roth
6ad5f82248 Corrected rule 2017-05-25 12:06:23 +02:00
dimi
0b8c82b75b 1) Add Windows DHCP Server Callout DLL rules: Sysmon, failed loading and successfull loading 
2) correct typo in dns server rule
 2017-05-15 20:58:31 +02:00
Florian Roth
75e55d647b Fixed and added strings 2017-05-13 18:33:51 +02:00
Florian Roth
46643324a8 Wannacrypt Update 2017-05-13 10:40:41 +02:00
Florian Roth
c40c592fb5 Changed rule as "m.vbs" isn't stable 2017-05-13 08:32:30 +02:00
Florian Roth
7c56992de5 Reference in WannaCrypt rule 2017-05-12 23:02:13 +02:00
Florian Roth
b7837d4cdb Fixed WannaCrypt rule 2017-05-12 22:32:40 +02:00
Florian Roth
5cdb2b013b WannaCrypt Ransomware 2017-05-12 21:57:53 +02:00
Florian Roth
16ac2337a4 Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 13:39:50 +02:00
Florian Roth
c7cc2a00d3 WScript/CScript Dropper 2017-05-05 17:30:46 +02:00
Florian Roth
a5c3f424c1 regsvr32 Anomalies 2017-04-16 12:02:29 +02:00
Florian Roth
769156a83b Minor fix > list to single value 2017-04-16 12:01:03 +02:00
Florian Roth
8363b25888 Suspicious Control Panel DLL Load 2017-04-15 23:32:26 +02:00
Florian Roth
89e43c1059 Improved MSHTA rule 2017-04-13 09:25:34 +02:00
Florian Roth
059cfbf15a Removed duplicate 2017-04-13 01:21:46 +02:00
Florian Roth
c2ed7bd9df MSHTA Rule v1 2017-04-13 01:08:37 +02:00
Florian Roth
92b4a7ad93 Added reference 2017-04-07 15:42:08 +02:00
Florian Roth
0650aa3cbe Rule: Suspicious cmd.exe combo with http and AppData 2017-04-03 10:41:10 +02:00
Florian Roth
fa90fb2fed Improved WMIC process call create rule 2017-03-29 22:11:05 +02:00
Florian Roth
e6a81623a8 PowerShell Combo - False Positive with MOM 2017-03-29 22:10:28 +02:00
Florian Roth
f91f813b3f Improved certutil.exe rules 2017-03-27 22:30:26 +02:00
Florian Roth
b0c8ffb051 Combined vssadmin rule 2017-03-26 01:27:26 +01:00
Florian Roth
800262a738 Renamed and double removed 2017-03-26 01:27:08 +01:00
Michael Haag
5ea6fad999 net.exe and wmic.exe 
Suspicious execution of net and wmic
 2017-03-25 06:48:23 -07:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Florian Roth
2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
cb683a6b56 Rule: Suspicious executions in web folders / non-exe folders 2017-03-13 23:56:06 +01:00
Florian Roth
c571848e9b Rule: Scheduled task creation 2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0 Reduced to user accounts 2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8 Restrict rule to non-private IP ranges only 2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5 Rule: Suspicious PowerShell Parameter Substring 2017-03-13 17:23:25 +01:00
Florian Roth
85c298c43c Bugfix in rule 2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a Rule: PowerShell with network connections 2017-03-13 13:57:41 +01:00
Florian Roth
a0047f7c67 Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
Florian Roth
4470c2f893 PowerShell Suspicious Invocation > Sysmon 2017-03-12 17:11:05 +01:00
Florian Roth
d6957f1c2e Merge pull request #10 from MHaggis/master 
Sysmon
 2017-03-09 08:05:22 +01:00
Michael Haag
c5f05dd829 bitsadmin & VSSAdmin 
+Bitsadmin download
+VSSAdmin delete
 2017-03-08 22:49:35 -08:00
Florian Roth
7b815ef3e5 Sysmon PowerShell - Suspicious Param Combination 2017-03-05 23:51:39 +01:00
Florian Roth
12535417d9 Typo 2017-03-05 01:47:37 +01:00
Michael Haag
a3cd7123a8 wscript/cscript 
WSF, JSE, JS, VBA and VBE file execution
 2017-03-04 14:40:34 -08:00
Michael Haag
4ac5d86479 mshta shells 
🐚 for all!
 2017-03-04 14:33:09 -08:00
Michael Haag
1317fe9df2 Modifications 
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
 2017-03-04 14:22:44 -08:00
Florian Roth
a9d6295791 Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00
Florian Roth
15e61a9681 Rule: Certutil Decode in AppData 2017-03-02 11:28:34 +01:00
Florian Roth
b6459a00ab Two new Sysmon rules for Office Macro/PS detection 2017-03-02 11:06:53 +01:00
Florian Roth
8559837aab Removed Sysmon EventLog from selection > via 'logsource' 2017-03-02 11:06:20 +01:00
Florian Roth
b4f2a74371 Proposed changes to mimimkatz-inmemory aggregation 2017-03-01 10:16:43 +01:00
Thomas Patzke
15c6f9411b Rule review 
* Typos
* Added false positive descriptions
 2017-02-24 23:44:42 +01:00
Florian Roth
52d04e52ac Removed lists from log source section 2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0 Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00
Florian Roth
a6173df0b9 LSASS Remote Thread Update 2017-02-12 16:33:09 +01:00
Florian Roth
04ea201817 New rules and cleanup 2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5 Renamed rule files, new rules 2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5 Moved rules to a separate directory 2017-02-07 00:44:40 +01:00