Ömer Günal
0e7eb32f62
update description
2020-10-05 20:22:43 +03:00
Ömer Günal
1e7a47440f
Install Root Certificate
2020-10-05 20:21:20 +03:00
Florian Roth
d3ee1aba66
docs: MITRE ATT&CK(R) trademark references removed or adjusted
...
https://github.com/Neo23x0/sigma/issues/1028
2020-09-30 08:53:52 +02:00
Mike Wade
8ce73bd8df
Fixed issues with tags and missing files
2020-09-15 06:10:57 -06:00
Mike Wade
52ab677798
Fixed my git issue
2020-09-13 22:03:04 -06:00
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master
...
[OSCD Initiative][ATT&CK tags update]
2020-09-08 13:27:58 +02:00
Florian Roth
af3b93a522
Merge pull request #914 from omergunal/ogunal-2
...
New rules for Linux
2020-09-07 09:41:43 +02:00
Timur Zinniatullin
8dba6ceee6
2nd review
2020-08-25 09:31:38 +03:00
Timur Zinniatullin
1244cacfbf
Update lnx_auditd_create_account.yml
2020-08-25 09:20:27 +03:00
Timur Zinniatullin
72fdf0da45
Update lnx_auditd_susp_cmds.yml
2020-08-04 20:00:30 +03:00
Timur Zinniatullin
4e688233d7
ATT&CK mapping update suggestions for \linux\
2020-08-04 19:48:18 +03:00
Florian Roth
1c63a93643
fix: wrong casing in tag
2020-07-13 16:20:51 +02:00
viniciusvec
26f0d49772
Update lnx_shell_clear_cmd_history.yml
...
Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/
2020-07-13 14:06:14 +01:00
Ömer Günal
bee467dbd6
Rename lnx_setgid_setuid to lnx_setgid_setuid.yml
2020-07-13 01:36:20 +03:00
Ömer Günal
bf8f0307b7
Rename lnx_space_after_filename_ to lnx_space_after_filename_.yml
2020-07-13 01:33:59 +03:00
Ömer Günal
4b74a0df76
Create lnx_space_after_filename_
2020-07-13 01:33:39 +03:00
Ömer Günal
c749aa2539
Create lnx_setgid_setuid
2020-07-13 01:33:09 +03:00
Ömer Günal
6b24a5df65
Create lnx_security_tools_disabling.yml
2020-07-13 01:32:24 +03:00
Ömer Günal
bdeca13825
Create lnx_proxy_connection.yml
2020-07-13 01:31:05 +03:00
Ömer Günal
708a28e307
Delete lnx_space_after_filename.yml
2020-07-13 01:26:37 +03:00
Ömer Günal
af6ad5a41b
Delete lnx_setuid_setgid.yml
2020-07-13 01:26:29 +03:00
Ömer Günal
64a9b6e098
Delete lnx_disabling_security_tools.yml
2020-07-13 01:26:11 +03:00
Ömer Günal
7466c8d425
Delete lnx_connection_proxy.yml
2020-07-13 01:26:03 +03:00
Ömer Günal
7ce16d1bbc
Update lnx_space_after_filename.yml
2020-07-13 01:07:32 +03:00
Ömer Günal
47a2f1bc94
Update lnx_space_after_filename.yml
2020-07-03 18:56:51 +03:00
Ömer Günal
51363d8a87
Update lnx_setuid_setgid.yml
2020-07-03 18:56:40 +03:00
Ömer Günal
87346d4b94
Update lnx_disabling_security_tools.yml
2020-07-03 18:56:30 +03:00
Ömer Günal
64afd6e7ee
Update lnx_connection_proxy.yml
2020-07-03 18:56:19 +03:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel
...
Rule devel
2020-07-03 15:33:55 +02:00
Florian Roth
8a0262d1a2
fix: in linux keyword expression
2020-07-03 15:08:20 +02:00
Florian Roth
5dd5b87f43
rule: guacamole exploitation detection
2020-07-03 13:20:03 +02:00
Florian Roth
fa452bf3e5
Merge pull request #849 from omergunal/ogunal-1
...
Rules for detecting suspicious remote file copy
2020-07-03 11:59:45 +02:00
Florian Roth
b9966a173c
Update lnx_file_copy.yml
2020-07-03 11:32:49 +02:00
Ömer Günal
4eb97ec43d
Update lnx_file_copy.yml
2020-06-22 21:35:50 +03:00
Ömer Günal
d17e0ae6eb
typo
2020-06-20 23:04:52 +03:00
Ömer Günal
93719d8a01
Merge pull request #1 from omergunal/omergunal-patch-1
...
Remote file copy
2020-06-18 23:56:29 +03:00
Ömer Günal
40a07a2d4f
Delete lnx_sudo_enumeration.yml
2020-06-18 23:55:24 +03:00
Ömer Günal
d87b0c95a4
Delete lnx_trap.yml
2020-06-18 23:55:16 +03:00
Ömer Günal
8db7c3207a
Delete lnx_sudo_caching.yml
2020-06-18 23:54:43 +03:00
Ömer Günal
5bc72b6cba
Delete lnx_space_after_filename.yml
2020-06-18 23:54:28 +03:00
Ömer Günal
f10440b9fa
Delete lnx_setuid_setgid.yml
2020-06-18 23:54:20 +03:00
Ömer Günal
6c8d104e7d
Delete lnx_disabling_security_tools.yml
2020-06-18 23:54:06 +03:00
Ömer Günal
84c4683607
Delete lnx_connection_proxy.yml
2020-06-18 23:53:43 +03:00
Ömer Günal
c6c455a3ec
Remote file copy
2020-06-18 23:37:49 +03:00
Ömer Günal
9bfc3d6807
Delete lnx_file_copy.yml
2020-06-18 23:37:12 +03:00
Ömer Günal
a963630db8
Remote File Copy
2020-06-18 23:36:29 +03:00
Ömer Günal
3a607abe33
Update lnx_trap.yml
2020-06-17 19:51:53 +03:00
Ömer Günal
7b86f4aefb
Update lnx_trap.yml
2020-06-17 19:47:31 +03:00
Ömer Günal
ebbd32d2e1
file extension
2020-06-17 19:43:57 +03:00
Ömer Günal
f989f7e155
file extension
2020-06-17 19:43:49 +03:00
Ömer Günal
772c03c49a
Connection Proxy
2020-06-17 19:39:55 +03:00
Ömer Günal
9d285ecf74
Trap
2020-06-17 19:39:00 +03:00
Ömer Günal
d0b66ab828
Space After Filename
2020-06-17 19:38:38 +03:00
Ömer Günal
3b8fb9e3d8
Disabling Security Tools
2020-06-17 19:38:10 +03:00
Ivan Kirillov
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
Florian Roth
fd2429bd34
Update lnx_setuid_setgid.yml
2020-06-16 19:46:50 +02:00
Florian Roth
06fe720165
Update lnx_sudo_enumeration.yml
2020-06-16 19:33:39 +02:00
Florian Roth
545c05d4d3
Update lnx_setuid_setgid.yml
2020-06-16 19:31:34 +02:00
Ömer Günal
0027415fa2
Update lnx_setuid_setgid.yml
2020-06-16 20:26:50 +03:00
Ömer Günal
41b2309418
file type changed
2020-06-16 20:24:09 +03:00
Ömer Günal
0d0058da43
added id
2020-06-16 20:21:07 +03:00
Ömer Günal
bbcd506fb1
added id
2020-06-16 20:21:02 +03:00
Ömer Günal
ace575aaa6
added id
2020-06-16 20:20:42 +03:00
Ömer Günal
4b1557a587
Setuid and Setgid
...
Detects suspicious change of file privileges with chown and chmod commands
2020-06-16 20:12:24 +03:00
Ömer Günal
b7e1c6750c
sudo caching
...
attack.t1206
2020-06-16 19:31:02 +03:00
Ömer Günal
e43f13ed67
Update lnx_sudo_enumeration.yml
...
attack.t1169
2020-06-16 19:20:42 +03:00
Ömer Günal
52487159c5
Detect Sudo enumeration commands
2020-06-16 19:17:00 +03:00
Florian Roth
74e16fdccd
Merge pull request #803 from gamma37/clear_cmd_history
...
Edit Clear Command History
2020-05-29 17:32:43 +02:00
gamma37
537bda4417
Update lnx_shell_clear_cmd_history.yml
2020-05-28 10:56:35 +02:00
gamma37
5a48934822
Edit Clear Command History
...
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
2020-05-28 10:52:17 +02:00
Florian Roth
8321cc7ee1
Merge pull request #772 from gamma37/suspicious_activities
...
Create a rule for "suspicious activities"
2020-05-23 18:11:32 +02:00
Florian Roth
e1a05dfc1c
Update lnx_auditd_susp_C2_commands.yml
2020-05-23 16:49:03 +02:00
gamma37
71c507d8a9
remove space bedore colon
2020-05-18 11:34:53 +02:00
gamma37
55eec46932
Create a rule for "suspicious activities"
2020-05-18 11:25:18 +02:00
gamma37
cbf06b1e43
lowercased tag
2020-05-18 10:11:32 +02:00
gamma37
904716771a
Create a new rule to detect "Create Account"
2020-05-18 10:03:34 +02:00
Florian Roth
7b713fbe7f
rule: OpenSSHd rule adjusted
2020-05-15 17:19:32 +02:00
Thomas Patzke
373424f145
Rule fixes
...
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00
Thomas Patzke
d7bd90cb24
Merge branch 'master' into oscd
2020-02-03 23:13:16 +01:00
Thomas Patzke
593abb1cce
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
Florian Roth
03ecb3b8dc
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
Florian Roth
d42e87edd7
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
Florian Roth
efd3af0812
fix: fixed missing date fields in other files
2020-01-30 15:32:39 +01:00
Thomas Patzke
924e1feb54
UUIDs + moved unsupported logic
...
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
testing.
2019-12-19 23:56:36 +01:00
yugoslavskiy
edad1695f6
Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd
2019-12-02 02:56:53 +01:00
yugoslavskiy
48a94d1609
Update lnx_dd_delete_file.yml
2019-12-02 02:54:48 +01:00
yugoslavskiy
ca1c2f4436
Update lnx_chattr_immutable_removal.yml
2019-12-02 02:54:32 +01:00
yugoslavskiy
9e90335a5a
Update lnx_pers_systemd_reload.yml
2019-12-02 02:54:13 +01:00
yugoslavskiy
46ca68436e
Update lnx_file_or_folder_permissions.yml
2019-12-02 02:53:35 +01:00
mrblacyk
9d0889def4
Adding auditd compatibility
2019-11-29 09:34:08 +01:00
mrblacyk
cafbb25d2e
Update lnx_file_or_folder_permissions.yml
2019-11-29 09:33:04 +01:00
mrblacyk
bf5e6cc56b
Adding auditd compatibility
2019-11-29 09:32:05 +01:00
mrblacyk
a15c84eb80
Adding auditd compatibility
2019-11-29 09:27:31 +01:00
yugoslavskiy
efc404fbae
resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml
2019-11-19 02:11:19 +01:00
Thomas Patzke
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
yugoslavskiy
a4331b0eec
Merge pull request #498 from theRabbitCode/oscd
...
[OSCD] Added Atomic Blue Detections Repo
2019-11-11 23:22:57 +03:00
yugoslavskiy
bdff2c312b
Update lnx_auditd_ld_so_preload_mod.yml
2019-11-11 01:44:53 +03:00
yugoslavskiy
69a99bc2c3
Merge pull request #493 from alx1m1k/oscd
...
[OSCD] rules from Jet CSIRT team
2019-11-10 23:11:24 +03:00
yugoslavskiy
82f23c5f63
Merge pull request #477 from zinint/oscd
...
add 13 new rules:
- rules/linux/auditd/lnx_auditd_masquerading_crond.yml
- rules/linux/auditd/lnx_auditd_user_discovery.yml
- rules/linux/auditd/lnx_data_compressed.yml
- rules/linux/auditd/lnx_network_sniffing.yml
- rules/windows/powershell/powershell_data_compressed.yml
- rules/windows/powershell/powershell_winlogon_helper_dll.yml
- rules/windows/process_creation/win_change_default_file_association.yml
- rules/windows/process_creation/win_data_compressed_with_rar.yml
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml
- rules/windows/process_creation/win_network_sniffing.yml
- rules/windows/process_creation/win_query_registry.yml
- rules/windows/process_creation/win_service_execution.yml
- rules/windows/process_creation/win_xsl_script_processing.yml
modify 1 rule:
- rules/windows/process_creation/win_possible_applocker_bypass.yml
2019-11-05 04:55:29 +03:00
yugoslavskiy
534f5fc0e1
Update lnx_network_sniffing.yml
2019-11-05 04:40:40 +03:00
yugoslavskiy
70fdd9c7d7
Update lnx_data_compressed.yml
2019-11-05 04:38:27 +03:00
yugoslavskiy
75f2b8536f
Update lnx_auditd_user_discovery.yml
2019-11-04 22:14:30 +03:00
yugoslavskiy
8b2216e94e
Update lnx_auditd_masquerading_crond.yml
2019-11-04 22:14:10 +03:00
yugoslavskiy
0d5489bbb0
Update lnx_auditd_user_discovery.yml
2019-11-04 22:07:30 +03:00
yugoslavskiy
bb71f95810
Update lnx_auditd_masquerading_crond.yml
2019-11-04 21:58:42 +03:00
yugoslavskiy
1f1fd68331
Merge pull request #472 from feedb/oscd
...
add 11 new rules:
- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml
2019-11-04 20:40:58 +03:00
yugoslavskiy
8a35a51211
Update lnx_auditd_web_rce.yml
2019-11-04 18:08:17 +03:00
zinint
11e7bdc727
Update lnx_network_sniffing.yml
2019-10-30 22:59:46 +03:00
zinint
fd09c00b35
Update lnx_network_sniffing.yml
2019-10-30 20:59:07 +03:00
zinint
3d106d8e7f
Update lnx_network_sniffing.yml
2019-10-30 19:11:51 +03:00
zinint
e0c5479f0a
Update lnx_network_sniffing.yml
2019-10-30 19:10:48 +03:00
zinint
b5b40f2861
Update lnx_network_sniffing.yml
2019-10-30 19:07:05 +03:00
zinint
cc4a8df5e3
Update lnx_network_sniffing.yml
2019-10-30 19:06:53 +03:00
zinint
7e3d8ccaf3
T1040
2019-10-30 19:05:50 +03:00
zinint
4a560e9375
T1002
2019-10-29 22:56:45 +03:00
zinint
583980f8ec
Delete win_data_compressed.yml
2019-10-29 22:56:30 +03:00
zinint
4eb7965662
T1002
2019-10-29 22:54:42 +03:00
zinint
950796f71f
Update lnx_auditd_masquerading_crond.yml
2019-10-29 22:48:39 +03:00
zinint
c5599399b5
Update lnx_auditd_masquerading_crond.yml
2019-10-29 22:48:00 +03:00
zinint
47f7d648a3
T1036
2019-10-29 22:33:03 +03:00
Yugoslavskiy Daniil
3376cf4dd8
fix some typos and remove redundand references
2019-10-29 01:40:06 +03:00
RRRabbit
becfca6b41
Added Atomic Blue Detections Repo
2019-10-28 11:59:49 +01:00
zinint
d1cf80d9b6
Update lnx_auditd_user_discovery.yml
2019-10-28 00:00:06 +03:00
zinint
68b4541274
t1033
2019-10-27 23:59:16 +03:00
Mikhail Larin
334301c185
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
mrblacyk
499627edf3
File permissions modification (T1222)
2019-10-23 11:24:13 -07:00
mrblacyk
c2d906c15f
DD overwrite with zero/null (T1485)
2019-10-23 11:22:33 -07:00
mrblacyk
5ae267e326
Linux systemd reload or start rule (T1501)
2019-10-23 11:21:19 -07:00
root
fb53855ae5
add rule sysmon_webshell_creation_detect.yml
2019-10-22 05:50:49 +02:00
root
e47caf4749
add rule lnx_auditd_web_rce.yml
2019-10-21 11:54:21 +02:00
root
a499141483
modified rule lnx_auditd_web_rce.yml
2019-10-21 11:28:59 +02:00
root
ac8308dfc9
add rule lnx_auditd_web_rce.yml
2019-10-21 11:14:24 +02:00
Florian Roth
454ba2b576
rule: modified sudo vuln rule to be most generic
2019-10-20 14:02:10 +02:00
Florian Roth
08ff2f38bc
Revert "rule: modified sudo vuln rule to be most generic"
...
This reverts commit ef6a25d109
.
2019-10-20 14:01:14 +02:00
Florian Roth
ef6a25d109
rule: modified sudo vuln rule to be most generic
2019-10-20 10:37:05 +02:00
Thomas Patzke
522f021ef1
Merge pull request #461 from Galapag0s/patch-2
...
Added Additional history clearing options
2019-10-16 22:35:41 +02:00
Florian Roth
36f678930d
rule: updated sudo vuln rule to detect 0-padding part 2
...
https://twitter.com/joshbressers/status/1184455759620378627
2019-10-16 15:10:44 +02:00
Florian Roth
5374d18e4b
rule: updated sudo vuln rule to detect 0-padding
...
https://twitter.com/taviso/status/1184238670343065600
2019-10-16 15:03:28 +02:00
Florian Roth
921a39f1e3
rule: extended sudo rule with variant for USER field
2019-10-15 14:55:09 +02:00
Florian Roth
96d77447d2
rule: added reference and mitre tags
2019-10-15 09:44:17 +02:00
Florian Roth
49ed76004c
rule: sudo priv esc vuln CVE-2019-14287
2019-10-15 09:39:08 +02:00
Galapag0s
1e4ef648db
Added Additional history clearing options
...
history -w will clear the current shell history
shred purposely overwrites data replacing it with random data
2019-09-26 12:53:13 -04:00
Galapag0s
ccdda5e82b
Update lnx_shell_priv_esc_prep.yml
2019-09-06 11:29:42 -04:00
Galapag0s
23021aa110
Added Sticky Bits
...
Attackers may look to exploit binaries with the sticky bits enabled. By being able to run a binary as a different user or group, they may be able to run separate commands as an elevated user.
2019-09-06 11:25:48 -04:00
Florian Roth
f5a8a81ff7
fix: linux cmds rule
2019-07-02 15:22:26 +02:00
petermmm
b6c4e64a9b
fixed attack category number 2->3
2019-05-12 11:59:13 +02:00
petermmm
2778558ae3
added rule .bash_profile and .bashrc T1156
2019-05-12 02:07:13 +02:00
Thomas Patzke
46c789105b
Fix and ordering
2019-05-10 00:08:26 +02:00
patrick
ca4b710c01
Added Sigma Use Case detecting Privilege Escalation Preparation in Linux
2019-04-07 15:36:19 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature
...
Add new signature for linux clear command history
2019-04-03 19:45:06 +02:00
Florian Roth
6cc1770351
Merge pull request #294 from Pr0t3an/patch-3
...
Update lnx_shell_susp_rev_shells.yml
2019-04-03 01:07:07 +02:00
Florian Roth
b76925f838
Rule: extending rule with /dev/udp
2019-04-02 20:09:13 +02:00
Pr0t3an
d067087632
Update lnx_shell_susp_rev_shells.yml
...
added
- 'bash -i >& /dev/udp/'
- 'sh -I >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
2019-04-02 18:22:18 +01:00
Florian Roth
5c5a16c4d5
Rule: adding xterm -display string to rule
2019-04-02 18:48:18 +02:00
Florian Roth
453bd10e6e
Rule: Suspicious reverse shell command lines
2019-04-02 17:03:57 +02:00
Florian Roth
d06a5431eb
Changes
2019-04-01 14:03:54 +02:00
patrick
0242c40360
Add new signature for linux clear command history
2019-03-24 10:10:14 +01:00
Florian Roth
5092b1e603
Rule: removed overlapping strings in Linux rule
2019-02-05 16:12:07 +01:00
Florian Roth
32c098294f
Rule: extended suspicious command lines
2019-02-05 15:58:15 +01:00
Florian Roth
b92c032c2d
Linux JexBoss back connect shell
2018-11-08 23:21:36 +01:00
Florian Roth
6bde2cd08f
Update lnx_buffer_overflows.yml
2018-08-25 00:20:34 +02:00
Florian Roth
234a48af19
rule: Linux SSHD exploit CVE-2018-15473
...
https://github.com/Rhynorater/CVE-2018-15473-Exploit
2018-08-24 16:40:41 +02:00
Florian Roth
9e0abc5f0b
Adjusted rules to the new specs reg "not null" usage
2018-06-28 09:30:31 +02:00
Alexandre ZANNI
74da324d8f
remove old public_html
...
remove old public_html
2018-05-29 11:44:38 +02:00
Alexandre ZANNI
a1de770b64
enhance web server paths
...
- specify when it is apache only
- add Per-user path
- add archlinux paths
2018-05-29 11:41:36 +02:00
Thomas Patzke
59eff939f2
Merge branch 'devel-sigmac'
2018-03-04 22:59:41 +01:00
Thomas Patzke
4792700726
Fixed rule
2018-03-04 22:07:01 +01:00
Florian Roth
b88a81a9e1
Rule: Linux > named > suspicious activity
2018-02-20 14:56:28 +01:00
Florian Roth
ef0cd4c110
Rules: Extended and fixed (*) sshd rules
2018-02-20 13:44:06 +01:00
SherifEldeeb
348728bdd9
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec
Massive Title Cleanup
2018-01-27 10:57:30 +01:00
Florian Roth
f31ed7177e
Added status 'experimental' to newly created auditd rules
2018-01-23 11:15:02 +01:00
Florian Roth
fe80ae7885
Rule: Linux auditd 'program execution in suspicious folders'
2018-01-23 11:13:23 +01:00
Florian Roth
228ca1b765
Rule: Linux auditd 'suspicious commands'
2018-01-23 11:13:23 +01:00
Thomas Patzke
5c465129bd
Fixed rules
...
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
2017-09-11 00:35:52 +02:00
Thomas Patzke
f768bf3d61
Fixed parse errors
2017-08-02 22:49:15 +02:00
Florian Roth
fc4cd4036e
Linux: Suspicious VSFTPD errors
2017-07-05 18:59:51 -06:00
Florian Roth
ead63fbf75
Linux: Suspicious SSHD errors
2017-06-30 08:47:56 +02:00
Florian Roth
004fed24e0
Linux Generic Rules
2017-05-02 20:32:38 +02:00
Florian Roth
67d9c44bb3
Improved linux suspicious activity rule
2017-03-27 15:21:39 +02:00
Florian Roth
c5323ac1c2
Changes to Linux suspicious activity rule
2017-03-27 10:29:57 +02:00
Florian Roth
5c4a13af71
Rules: Linux commands and log entries of interest
2017-03-25 19:59:45 +01:00
Florian Roth
c8cc857b7c
Improved the linux suspicious keywords rule
2017-03-25 19:23:10 +01:00
Florian Roth
6932fcec65
Rule: Linux shell more suspicious keywords
2017-03-21 10:23:12 +01:00
Florian Roth
789b3899df
Improved Linux Shell Activity Rule
2017-03-15 09:07:59 +01:00
Florian Roth
9afa12f4a3
Further shell commands from MSF repo
2017-03-14 16:33:51 +01:00
Florian Roth
daeb7c3693
Rule: Suspicious activity in shell commands
2017-03-14 14:54:08 +01:00
Florian Roth
546a587df7
Rule: Shellshock Regex detection
...
http://rubular.com/r/zxBfjWfFYs
2017-03-14 14:53:29 +01:00
Florian Roth
3eae1f2710
Bug and typo fixes
2017-03-14 14:52:28 +01:00
Florian Roth
9934a66a3c
Rule: ClamAV
2017-03-01 10:00:17 +01:00
Florian Roth
2e0632b05f
Rule: Linux: buffer overflows
2017-03-01 08:38:33 +01:00
Florian Roth
001bed0c45
ModSecurity rule: multiple blocks
2017-02-28 17:53:32 +01:00
Florian Roth
b1446f9b87
Removed 'last' keyword from 'timeframe' fields
2017-02-28 17:52:40 +01:00
Florian Roth
18fd63f6b7
Levels to low, medium, high, critical
2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d
Rule review and cleanup
...
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
a2adb1ddb5
Renamed rule files, new rules
2017-02-10 19:17:02 +01:00