From e4db2a600ef127d350bf306aa9d2246529ed8282 Mon Sep 17 00:00:00 2001 From: Franco Charriol Date: Thu, 12 Nov 2020 13:04:50 -0300 Subject: [PATCH 1/3] Fixed role id missing in sample data --- server/lib/generate-alerts/sample-data/authentication.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/lib/generate-alerts/sample-data/authentication.js b/server/lib/generate-alerts/sample-data/authentication.js index 3b7f3cb95c..ced026043e 100644 --- a/server/lib/generate-alerts/sample-data/authentication.js +++ b/server/lib/generate-alerts/sample-data/authentication.js @@ -134,7 +134,8 @@ export const windowsInvalidLoginPassword = { } export const userLoginFailed = { - rule: { + rule: { + id: "5556", level: 5, description: "PAM: User login failed.", mail: false, From c1e1341412fd90a61537b4ead72c4f8d4afed7af Mon Sep 17 00:00:00 2001 From: Franco Charriol Date: Thu, 12 Nov 2020 13:07:50 -0300 Subject: [PATCH 2/3] Updated changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35c2b7f4d1..e63a211ff6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ All notable changes to the Wazuh app project will be documented in this file. - Hide empty columns of the processes table of the MacOS agents [#2570](https://github.com/wazuh/wazuh-kibana-app/pull/2570) +### Fixed + +- Inconsistent data in sample data alerts [#2618](https://github.com/wazuh/wazuh-kibana-app/pull/2618) + ## Wazuh v4.0.1 - Kibana v7.9.1, v7.9.3 - Revision 4008 ### Fixed From 14edac2991988286c3806a134fbeb5c43ac909fe Mon Sep 17 00:00:00 2001 From: Franco Charriol Date: Thu, 12 Nov 2020 17:06:55 -0300 Subject: [PATCH 3/3] Refactored mitre sample data --- .../generate-alerts/generate-alerts-script.js | 1663 +++++++------ .../sample-data/authentication.js | 292 +-- .../lib/generate-alerts/sample-data/mitre.js | 2178 ++++++++++++++--- 3 files changed, 2802 insertions(+), 1331 deletions(-) diff --git a/server/lib/generate-alerts/generate-alerts-script.js b/server/lib/generate-alerts/generate-alerts-script.js index 3b9d3ee490..7fa40fe2dc 100644 --- a/server/lib/generate-alerts/generate-alerts-script.js +++ b/server/lib/generate-alerts/generate-alerts-script.js @@ -11,7 +11,17 @@ */ // General -import { IPs, Users, Ports, Paths, Win_Hostnames, GeoLocation, Agents, randomElements, randomArrayItem } from './sample-data/common'; +import { + IPs, + Users, + Ports, + Paths, + Win_Hostnames, + GeoLocation, + Agents, + randomElements, + randomArrayItem, +} from './sample-data/common'; import { PCI_DSS, GDPR, HIPAA, GPG13, NIST_800_53, tsc } from './sample-data/regulatory-compliance'; import * as Audit from './sample-data/audit'; @@ -35,7 +45,13 @@ import * as Web from './sample-data/web'; const alertIDMax = 6000; // Rule -const ruleDescription = ["Sample alert 1", "Sample alert 2", "Sample alert 3", "Sample alert 4", "Sample alert 5"]; +const ruleDescription = [ + 'Sample alert 1', + 'Sample alert 2', + 'Sample alert 3', + 'Sample alert 4', + 'Sample alert 5', +]; const ruleMaxLevel = 14; /** @@ -65,770 +81,837 @@ const ruleMaxLevel = 14; * @param {number} params.probability_authentication_failed - probability to add authentication_failed to rule.groups * @param {boolean} params.authentication_failures - if true, add win_authentication_failed to rule.groups * @param {number} params.probability_authentication_failures - probability to add authentication_failures to rule.groups - * @return {any} - Alert generated + * @return {any} - Alert generated */ function generateAlert(params) { - let alert = { - ["@sampledata"]: true, - timestamp: "2020-01-27T11:08:47.777+0000", - rule: { - level: 3, - description: "Sample alert", - id: "5502", - mail: false, - groups: [], - }, - agent: { - id: "000", - name: "master" - }, - manager: { - name: "master" - }, - cluster: { - name: "wazuh" - }, - id: "1580123327.49031", - predecoder: {}, - decoder: {}, - data: {}, - location: "" - } - alert.agent = randomArrayItem(Agents); - alert.rule.description = randomArrayItem(ruleDescription); - alert.rule.id = `${randomIntervalInteger(1,alertIDMax)}`; - alert.rule.level = randomIntervalInteger(1,ruleMaxLevel); - - alert.timestamp = randomDate(); - - if (params.manager) { - if (params.manager.name) { - alert.manager.name = params.manager.name; - } - } + let alert = { + ['@sampledata']: true, + timestamp: '2020-01-27T11:08:47.777+0000', + rule: { + level: 3, + description: 'Sample alert', + id: '5502', + mail: false, + groups: [], + }, + agent: { + id: '000', + name: 'master', + }, + manager: { + name: 'master', + }, + cluster: { + name: 'wazuh', + }, + id: '1580123327.49031', + predecoder: {}, + decoder: {}, + data: {}, + location: '', + }; + alert.agent = randomArrayItem(Agents); + alert.rule.description = randomArrayItem(ruleDescription); + alert.rule.id = `${randomIntervalInteger(1, alertIDMax)}`; + alert.rule.level = randomIntervalInteger(1, ruleMaxLevel); - if (params.cluster) { - if (params.cluster.name) { - alert.cluster.name = params.cluster.name; - } - if (params.cluster.node) { - alert.cluster.node = params.cluster.node; - } - } + alert.timestamp = randomDate(); - if (params.aws) { - let randomType = randomArrayItem(['guarddutyPortProbe', 'apiCall', 'networkConnection', 'iamPolicyGrantGlobal']); - - const beforeDate = new Date(new Date(alert.timestamp) - 3*24*60*60*1000); - switch (randomType){ - case 'guarddutyPortProbe': { - const typeAlert = AWS.guarddutyPortProbe; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.resource.instanceDetails = {...randomArrayItem(AWS.instanceDetails)}; - alert.data.aws.resource.instanceDetails.iamInstanceProfile.arn = interpolateAlertProps(typeAlert.data.aws.resource.instanceDetails.iamInstanceProfile.arn, alert); - alert.data.aws.title = interpolateAlertProps(alert.data.aws.title, alert); - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.service.eventFirstSeen = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.eventLastSeen = formatDate(new Date(alert.timestamp), 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails = {...randomArrayItem(AWS.remoteIpDetails)}; - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate(new Date(alert.timestamp), 'Y/M/D/h')}/firehose_guardduty-1-${formatDate(new Date(alert.timestamp), 'Y-M-D-h-m-s-l')}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - } - alert.data.aws.service.count = `${randomIntervalInteger(400,4000)}`; - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ') - - alert.rule = {...typeAlert.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,50); - alert.rule.description = interpolateAlertProps(typeAlert.rule.description, alert); - - alert.decoder = {...typeAlert.decoder}; - alert.location = typeAlert.location; - break - } - case 'apiCall': { - const typeAlert = AWS.apiCall; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.resource.accessKeyDetails.userName = randomArrayItem(Users); - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate(new Date(alert.timestamp), 'Y/M/D/h')}/firehose_guardduty-1-${formatDate(new Date(alert.timestamp), 'Y-M-D-h-m-s-l')}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - } - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.service.action.awsApiCallAction.remoteIpDetails = {...randomArrayItem(AWS.remoteIpDetails)}; - alert.data.aws.service.eventFirstSeen = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.eventLastSeen = formatDate(new Date(alert.timestamp), 'Y-M-DTh:m:s.lZ'); - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.title = interpolateAlertProps(alert.data.aws.title, alert); - alert.data.aws.description = interpolateAlertProps(alert.data.aws.description, alert); - const count = `${randomIntervalInteger(400,4000)}`; - alert.data.aws.service.additionalInfo.recentApiCalls.count = count; - alert.data.aws.service.count = count; - - alert.rule = {...typeAlert.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,50); - alert.rule.description = interpolateAlertProps(typeAlert.rule.description, alert); - - alert.decoder = {...typeAlert.decoder}; - alert.location = typeAlert.location; - break - } - case 'networkConnection': { - const typeAlert = AWS.networkConnection; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.resource.instanceDetails = {...randomArrayItem(AWS.instanceDetails)}; - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `guardduty/${formatDate(new Date(alert.timestamp), 'Y/M/D/h')}/firehose_guardduty-1-${formatDate(new Date(alert.timestamp), 'Y-M-D-h-m-s-l')}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip` - } - alert.data.aws.description = interpolateAlertProps(alert.data.aws.description, alert); - alert.data.aws.title = interpolateAlertProps(alert.data.aws.title, alert); - alert.data.aws.accountId = randomArrayItem(AWS.accountId); - alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.action.networkConnectionAction.remoteIpDetails = {...randomArrayItem(AWS.remoteIpDetails)}; - alert.data.aws.service.eventFirstSeen = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.eventLastSeen = formatDate(new Date(alert.timestamp), 'Y-M-DTh:m:s.lZ'); - alert.data.aws.service.additionalInfo = { - localPort: `${randomArrayItem(Ports)}`, - outBytes: `${randomIntervalInteger(1000,3000)}`, - inBytes: `${randomIntervalInteger(1000,10000)}`, - unusual: `${randomIntervalInteger(1000,10000)}` - }; - alert.data.aws.service.count = `${randomIntervalInteger(400,4000)}`; - alert.data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4 = alert.data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress; - alert.data.aws.arn = interpolateAlertProps(typeAlert.data.aws.arn, alert); - alert.rule = {...typeAlert.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,50); - alert.rule.description = interpolateAlertProps(typeAlert.rule.description, alert); - - - alert.decoder = {...typeAlert.decoder}; - alert.location = typeAlert.location; - break - } - case 'iamPolicyGrantGlobal': { - const typeAlert = AWS.iamPolicyGrantGlobal; - - alert.data = { ...typeAlert.data }; - alert.data.integration = 'aws'; - alert.data.aws.region = randomArrayItem(AWS.region); - alert.data.aws.summary.Timestamps = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.log_info = { - s3bucket: randomArrayItem(AWS.buckets), - log_file: `macie/${formatDate(new Date(alert.timestamp), 'Y/M/D/h')}/firehose_macie-1-${formatDate(new Date(alert.timestamp), 'Y-M-D-h-m-s')}-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-${formatDate(new Date(alert.timestamp), 'Y-M-D-h-m-s-l')}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, - }; - alert.data.aws["created-at"] = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); - alert.data.aws.url = interpolateAlertProps(typeAlert.data.aws.url, alert); - alert.data.aws['alert-arn'] = interpolateAlertProps(typeAlert.data.aws['alert-arn'], alert); - - alert.rule = {...typeAlert.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,50); - - alert.decoder = {...typeAlert.decoder}; - alert.location = typeAlert.location; - break - } - default: {} - } - alert.input = {type: 'log'}; - alert.GeoLocation = randomArrayItem(GeoLocation); + if (params.manager) { + if (params.manager.name) { + alert.manager.name = params.manager.name; } + } - if (params.gcp) { - alert.rule = randomArrayItem(GCP.arrayRules); - alert.data.integration = 'gcp'; - alert.data.gcp = { - insertId: "uk1zpe23xcj", - jsonPayload: { - authAnswer: GCP.arrayAuthAnswer[Math.floor(GCP.arrayAuthAnswer.length * Math.random())], - protocol: GCP.arrayProtocol[Math.floor(GCP.arrayProtocol.length * Math.random())], - queryName: GCP.arrayQueryName[Math.floor(GCP.arrayQueryName.length * Math.random())], - queryType: GCP.arrayQueryType[Math.floor(GCP.arrayQueryType.length * Math.random())], - responseCode: GCP.arrayResponseCode[Math.floor(GCP.arrayResponseCode.length * Math.random())], - sourceIP: GCP.arraySourceIP[Math.floor(GCP.arraySourceIP.length * Math.random())], - vmInstanceId: "4980113928800839680.000000", - vmInstanceName: "531339229531.instance-1" - }, - logName: "projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries", - receiveTimestamp: "2019-11-11T02:42:05.05853152Z", - resource: { - labels: { - location: GCP.arrayLocation[Math.floor(GCP.arrayLocation.length * Math.random())], - project_id: GCP.arrayProject[Math.floor(GCP.arrayProject.length * Math.random())], - source_type: GCP.arraySourceType[Math.floor(GCP.arraySourceType.length * Math.random())], - target_type: "external" - }, - type: GCP.arrayType[Math.floor(GCP.arrayType.length * Math.random())], - }, - severity: GCP.arraySeverity[Math.floor(GCP.arraySeverity.length * Math.random())], - timestamp: "2019-11-11T02:42:04.34921449Z" - } - - alert.GeoLocation = randomArrayItem(GeoLocation); + if (params.cluster) { + if (params.cluster.name) { + alert.cluster.name = params.cluster.name; } - - if (params.audit) { - let dataAudit = randomArrayItem(Audit.dataAudit); - alert.data = dataAudit.data; - alert.data.audit.file ? alert.data.audit.file.name === '' ? alert.data.audit.file.name = randomArrayItem(Audit.fileName) : null : null; - alert.rule = dataAudit.rule; + if (params.cluster.node) { + alert.cluster.node = params.cluster.node; } + } - if (params.ciscat) { - alert.rule.groups.push("ciscat"); - alert.data.cis = {}; - - alert.data.cis.group = randomArrayItem(CISCAT.group); - alert.data.cis.fail = randomIntervalInteger(0, 100); - alert.data.cis.rule_title = randomArrayItem(CISCAT.ruleTitle); - alert.data.cis.notchecked = randomIntervalInteger(0, 100); - alert.data.cis.score = randomIntervalInteger(0, 100); - alert.data.cis.pass = randomIntervalInteger(0, 100); - alert.data.cis.timestamp = new Date(randomDate()); - alert.data.cis.error = randomIntervalInteger(0, 1); - alert.data.cis.benchmark = randomArrayItem(CISCAT.benchmark); - alert.data.cis.unknown = randomIntervalInteger(0, 100); - alert.data.cis.notchecked = randomIntervalInteger(0, 5); - alert.data.cis.result = randomArrayItem(CISCAT.result); - } + if (params.aws) { + let randomType = randomArrayItem([ + 'guarddutyPortProbe', + 'apiCall', + 'networkConnection', + 'iamPolicyGrantGlobal', + ]); - if (params.docker) { - const dataDocker = randomArrayItem(Docker.dataDocker); - alert.data = {}; - alert.data = dataDocker.data; - alert.rule = dataDocker.rule; - } + const beforeDate = new Date(new Date(alert.timestamp) - 3 * 24 * 60 * 60 * 1000); + switch (randomType) { + case 'guarddutyPortProbe': { + const typeAlert = AWS.guarddutyPortProbe; - if (params.mitre) { - alert.rule.groups.push(randomArrayItem(Mitre.arrayGroups)); - alert.rule.description = randomArrayItem(Mitre.arrayRuleDescription); - alert.location = randomArrayItem(Mitre.arrayLocation); - - let dataMitre = randomArrayItem(Mitre.rule); - let ruleMitre = dataMitre.rule[Math.floor(dataMitre.rule.length * Math.random())]; - - let arrayTactics = []; - arrayTactics.push(dataMitre.tactic); - let arrayId = []; - arrayId.push(ruleMitre.id); - let arrayTechniques = []; - arrayTechniques.push(ruleMitre.technique); - - if (Math.random() <= 0.3) { - ruleMitre = dataMitre.rule[Math.floor(dataMitre.rule.length * Math.random())]; - if(arrayId.indexOf(dataMitre.id === -1)) { - arrayId.push(ruleMitre.id); - arrayTechniques.push(ruleMitre.technique); - } - } - - alert.rule.mitre = { - tactic: arrayTactics, - id: arrayId, - technique: arrayTechniques - } - - if (Math.random() <= 0.5) { - arrayTactics = []; - arrayId = []; - arrayTechniques = []; - - dataMitre = randomArrayItem(Mitre.rule); - ruleMitre = dataMitre.rule[Math.floor(dataMitre.rule.length * Math.random())]; - - arrayTactics.push(dataMitre.tactic); - arrayId.push(ruleMitre.id); - arrayTechniques.push(ruleMitre.technique); - - if (Math.random() <= 0.2) { - ruleMitre = dataMitre.rule[Math.floor(dataMitre.rule.length * Math.random())]; - if(arrayId.indexOf(dataMitre.id === -1)) { - arrayId.push(ruleMitre.id); - arrayTechniques.push(ruleMitre.technique); - } - } - alert.rule.mitre.tactic.concat(arrayTactics); - alert.rule.mitre.id.concat(arrayId); - alert.rule.mitre.technique.concat(arrayTechniques); - } - } + alert.data = { ...typeAlert.data }; + alert.data.integration = 'aws'; + alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.resource.instanceDetails = { ...randomArrayItem(AWS.instanceDetails) }; + alert.data.aws.resource.instanceDetails.iamInstanceProfile.arn = interpolateAlertProps( + typeAlert.data.aws.resource.instanceDetails.iamInstanceProfile.arn, + alert + ); + alert.data.aws.title = interpolateAlertProps(alert.data.aws.title, alert); + alert.data.aws.accountId = randomArrayItem(AWS.accountId); + alert.data.aws.service.eventFirstSeen = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.service.eventLastSeen = formatDate( + new Date(alert.timestamp), + 'Y-M-DTh:m:s.lZ' + ); + alert.data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails = { + ...randomArrayItem(AWS.remoteIpDetails), + }; + alert.data.aws.log_info = { + s3bucket: randomArrayItem(AWS.buckets), + log_file: `guardduty/${formatDate( + new Date(alert.timestamp), + 'Y/M/D/h' + )}/firehose_guardduty-1-${formatDate( + new Date(alert.timestamp), + 'Y-M-D-h-m-s-l' + )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, + }; + alert.data.aws.service.count = `${randomIntervalInteger(400, 4000)}`; + alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.description = interpolateAlertProps(typeAlert.rule.description, alert); + + alert.decoder = { ...typeAlert.decoder }; + alert.location = typeAlert.location; + break; + } + case 'apiCall': { + const typeAlert = AWS.apiCall; - if (params.openscap) { - alert.data = {}; - alert.data.oscap = {}; - const typeAlert = {...randomArrayItem(OpenSCAP.data)} - alert.data = {...typeAlert.data}; - alert.rule = {...typeAlert.rule}; - alert.rule.firedtimes = randomIntervalInteger(2,10); - alert.input = { - type: 'log' + alert.data = { ...typeAlert.data }; + alert.data.integration = 'aws'; + alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.resource.accessKeyDetails.userName = randomArrayItem(Users); + alert.data.aws.log_info = { + s3bucket: randomArrayItem(AWS.buckets), + log_file: `guardduty/${formatDate( + new Date(alert.timestamp), + 'Y/M/D/h' + )}/firehose_guardduty-1-${formatDate( + new Date(alert.timestamp), + 'Y-M-D-h-m-s-l' + )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, }; - alert.decoder = {...OpenSCAP.decoder}; - alert.location = OpenSCAP.location; - if(typeAlert.full_log){ - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); - } - } + alert.data.aws.accountId = randomArrayItem(AWS.accountId); + alert.data.aws.service.action.awsApiCallAction.remoteIpDetails = { + ...randomArrayItem(AWS.remoteIpDetails), + }; + alert.data.aws.service.eventFirstSeen = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.service.eventLastSeen = formatDate( + new Date(alert.timestamp), + 'Y-M-DTh:m:s.lZ' + ); + alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.title = interpolateAlertProps(alert.data.aws.title, alert); + alert.data.aws.description = interpolateAlertProps(alert.data.aws.description, alert); + const count = `${randomIntervalInteger(400, 4000)}`; + alert.data.aws.service.additionalInfo.recentApiCalls.count = count; + alert.data.aws.service.count = count; + + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.description = interpolateAlertProps(typeAlert.rule.description, alert); + + alert.decoder = { ...typeAlert.decoder }; + alert.location = typeAlert.location; + break; + } + case 'networkConnection': { + const typeAlert = AWS.networkConnection; - if (params.rootcheck) { - alert.location = PolicyMonitoring.location; - alert.decoder = {...PolicyMonitoring.decoder}; - alert.input = { - type: 'log' + alert.data = { ...typeAlert.data }; + alert.data.integration = 'aws'; + alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.resource.instanceDetails = { ...randomArrayItem(AWS.instanceDetails) }; + alert.data.aws.log_info = { + s3bucket: randomArrayItem(AWS.buckets), + log_file: `guardduty/${formatDate( + new Date(alert.timestamp), + 'Y/M/D/h' + )}/firehose_guardduty-1-${formatDate( + new Date(alert.timestamp), + 'Y-M-D-h-m-s-l' + )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, + }; + alert.data.aws.description = interpolateAlertProps(alert.data.aws.description, alert); + alert.data.aws.title = interpolateAlertProps(alert.data.aws.title, alert); + alert.data.aws.accountId = randomArrayItem(AWS.accountId); + alert.data.aws.createdAt = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.service.action.networkConnectionAction.remoteIpDetails = { + ...randomArrayItem(AWS.remoteIpDetails), + }; + alert.data.aws.service.eventFirstSeen = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.service.eventLastSeen = formatDate( + new Date(alert.timestamp), + 'Y-M-DTh:m:s.lZ' + ); + alert.data.aws.service.additionalInfo = { + localPort: `${randomArrayItem(Ports)}`, + outBytes: `${randomIntervalInteger(1000, 3000)}`, + inBytes: `${randomIntervalInteger(1000, 10000)}`, + unusual: `${randomIntervalInteger(1000, 10000)}`, }; + alert.data.aws.service.count = `${randomIntervalInteger(400, 4000)}`; + alert.data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4 = + alert.data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress; + alert.data.aws.arn = interpolateAlertProps(typeAlert.data.aws.arn, alert); + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 50); + alert.rule.description = interpolateAlertProps(typeAlert.rule.description, alert); - const alertCategory = randomArrayItem(['Rootkit', 'Trojan']); - - switch (alertCategory){ - case 'Rootkit':{ - const rootkitCategory = randomArrayItem(Object.keys(PolicyMonitoring.rootkits)); - const rootkit = randomArrayItem(PolicyMonitoring.rootkits[rootkitCategory]); - alert.data = { - title: interpolateAlertProps(PolicyMonitoring.rootkitsData.data.title, alert, { - _rootkit_category: rootkitCategory, - _rootkit_file: rootkit - }) - }; - alert.rule = {...PolicyMonitoring.rootkitsData.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,10); - alert.full_log = alert.data.title; - break; - - } - case 'Trojan':{ - const trojan = randomArrayItem(PolicyMonitoring.trojans); - alert.data = { - file: trojan.file, - title: "Trojaned version of file detected." - }; - alert.rule = {...PolicyMonitoring.trojansData.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,10); - alert.full_log = interpolateAlertProps(PolicyMonitoring.trojansData.full_log, alert, { - _trojan_signature: trojan.signature - }); - break; - } - default: {} - } - } + alert.decoder = { ...typeAlert.decoder }; + alert.location = typeAlert.location; + break; + } + case 'iamPolicyGrantGlobal': { + const typeAlert = AWS.iamPolicyGrantGlobal; - if (params.syscheck) { - alert.rule.groups.push("syscheck"); - alert.syscheck = {}; - alert.syscheck.event = randomArrayItem(IntegrityMonitoring.events); - alert.syscheck.path = randomArrayItem(alert.agent.name === 'Windows' ? IntegrityMonitoring.pathsWindows : IntegrityMonitoring.pathsLinux); - alert.syscheck.uname_after = randomArrayItem(Users); - alert.syscheck.gname_after = "root"; - alert.syscheck.mtime_after = new Date(randomDate()); - alert.syscheck.size_after = randomIntervalInteger(0,65); - alert.syscheck.uid_after = randomArrayItem(IntegrityMonitoring.uid_after); - alert.syscheck.gid_after = randomArrayItem(IntegrityMonitoring.gid_after); - alert.syscheck.perm_after = "rw-r--r--"; - alert.syscheck.inode_after = randomIntervalInteger(0,100000); - switch (alert.syscheck.event) { - case "added": - alert.rule = IntegrityMonitoring.regulatory[0]; - break; - case "modified": - alert.rule = IntegrityMonitoring.regulatory[1]; - alert.syscheck.mtime_before = new Date(alert.syscheck.mtime_after.getTime() - 1000 * 60); - alert.syscheck.inode_before = randomIntervalInteger(0,100000); - alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); - alert.syscheck.changed_attributes = [randomArrayItem(IntegrityMonitoring.attributes)]; - alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); - alert.syscheck.sha256_after = randomElements(60, 'abcdef0123456789'); - break; - case "deleted": - alert.rule = IntegrityMonitoring.regulatory[2]; - alert.syscheck.tags = [randomArrayItem(IntegrityMonitoring.tags)]; - alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); - alert.syscheck.audit = { - "process": { - "name": randomArrayItem(Paths), - "id": randomIntervalInteger(0,100000), - "ppid": randomIntervalInteger(0,100000) - }, - "effective_user": { - "name": randomArrayItem(Users), - "id": randomIntervalInteger(0,100) - }, - "user": { - "name": randomArrayItem(Users), - "id": randomIntervalInteger(0,100) - }, - "group": { - "name": randomArrayItem(Users), - "id": randomIntervalInteger(0,100) - } - } - alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); - alert.syscheck.sha256_after = randomElements(60, 'abcdef0123456789'); - break; - default: {} - } + alert.data = { ...typeAlert.data }; + alert.data.integration = 'aws'; + alert.data.aws.region = randomArrayItem(AWS.region); + alert.data.aws.summary.Timestamps = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.log_info = { + s3bucket: randomArrayItem(AWS.buckets), + log_file: `macie/${formatDate( + new Date(alert.timestamp), + 'Y/M/D/h' + )}/firehose_macie-1-${formatDate( + new Date(alert.timestamp), + 'Y-M-D-h-m-s' + )}-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-${formatDate( + new Date(alert.timestamp), + 'Y-M-D-h-m-s-l' + )}b5b9b-ec62-4a07-85d7-b1699b9c031e.zip`, + }; + alert.data.aws['created-at'] = formatDate(beforeDate, 'Y-M-DTh:m:s.lZ'); + alert.data.aws.url = interpolateAlertProps(typeAlert.data.aws.url, alert); + alert.data.aws['alert-arn'] = interpolateAlertProps(typeAlert.data.aws['alert-arn'], alert); + + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 50); + + alert.decoder = { ...typeAlert.decoder }; + alert.location = typeAlert.location; + break; + } + default: { + } } + alert.input = { type: 'log' }; + alert.GeoLocation = randomArrayItem(GeoLocation); + } - if (params.virustotal) { - alert.rule.groups.push("virustotal"); - alert.location = 'virustotal'; - alert.data.virustotal = {}; - alert.data.virustotal.found = randomArrayItem(['0', '1', '1', '1']); - - alert.data.virustotal.source = { - sha1: randomElements(40, 'abcdef0123456789'), - file: randomArrayItem(Virustotal.sourceFile), - alert_id: `${randomElements(10, '0123456789')}.${randomElements(7, '0123456789')}`, - md5: randomElements(32, 'abcdef0123456789') - }; - - if (alert.data.virustotal.found === '1') { - alert.data.virustotal.malicious = randomArrayItem(Virustotal.malicious); - alert.data.virustotal.positives = `${randomIntervalInteger(0,65)}`; - alert.data.virustotal.total = alert.data.virustotal.malicious + alert.data.virustotal.positives; - alert.rule.description = `VirusTotal: Alert - ${alert.data.virustotal.source.file} - ${alert.data.virustotal.positives} engines detected this file`; - alert.data.virustotal.permalink = randomArrayItem(Virustotal.permalink); - alert.data.virustotal.scan_date = new Date(Date.parse(alert.timestamp)- (4 * 60000)); - } else { - alert.data.virustotal.malicious = '0'; - alert.rule.description = 'VirusTotal: Alert - No records in VirusTotal database'; - } + if (params.gcp) { + alert.rule = randomArrayItem(GCP.arrayRules); + alert.data.integration = 'gcp'; + alert.data.gcp = { + insertId: 'uk1zpe23xcj', + jsonPayload: { + authAnswer: GCP.arrayAuthAnswer[Math.floor(GCP.arrayAuthAnswer.length * Math.random())], + protocol: GCP.arrayProtocol[Math.floor(GCP.arrayProtocol.length * Math.random())], + queryName: GCP.arrayQueryName[Math.floor(GCP.arrayQueryName.length * Math.random())], + queryType: GCP.arrayQueryType[Math.floor(GCP.arrayQueryType.length * Math.random())], + responseCode: + GCP.arrayResponseCode[Math.floor(GCP.arrayResponseCode.length * Math.random())], + sourceIP: GCP.arraySourceIP[Math.floor(GCP.arraySourceIP.length * Math.random())], + vmInstanceId: '4980113928800839680.000000', + vmInstanceName: '531339229531.instance-1', + }, + logName: 'projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries', + receiveTimestamp: '2019-11-11T02:42:05.05853152Z', + resource: { + labels: { + location: GCP.arrayLocation[Math.floor(GCP.arrayLocation.length * Math.random())], + project_id: GCP.arrayProject[Math.floor(GCP.arrayProject.length * Math.random())], + source_type: GCP.arraySourceType[Math.floor(GCP.arraySourceType.length * Math.random())], + target_type: 'external', + }, + type: GCP.arrayType[Math.floor(GCP.arrayType.length * Math.random())], + }, + severity: GCP.arraySeverity[Math.floor(GCP.arraySeverity.length * Math.random())], + timestamp: '2019-11-11T02:42:04.34921449Z', + }; + + alert.GeoLocation = randomArrayItem(GeoLocation); + } + + if (params.audit) { + let dataAudit = randomArrayItem(Audit.dataAudit); + alert.data = dataAudit.data; + alert.data.audit.file + ? alert.data.audit.file.name === '' + ? (alert.data.audit.file.name = randomArrayItem(Audit.fileName)) + : null + : null; + alert.rule = dataAudit.rule; + } + + if (params.ciscat) { + alert.rule.groups.push('ciscat'); + alert.data.cis = {}; + + alert.data.cis.group = randomArrayItem(CISCAT.group); + alert.data.cis.fail = randomIntervalInteger(0, 100); + alert.data.cis.rule_title = randomArrayItem(CISCAT.ruleTitle); + alert.data.cis.notchecked = randomIntervalInteger(0, 100); + alert.data.cis.score = randomIntervalInteger(0, 100); + alert.data.cis.pass = randomIntervalInteger(0, 100); + alert.data.cis.timestamp = new Date(randomDate()); + alert.data.cis.error = randomIntervalInteger(0, 1); + alert.data.cis.benchmark = randomArrayItem(CISCAT.benchmark); + alert.data.cis.unknown = randomIntervalInteger(0, 100); + alert.data.cis.notchecked = randomIntervalInteger(0, 5); + alert.data.cis.result = randomArrayItem(CISCAT.result); + } + + if (params.docker) { + const dataDocker = randomArrayItem(Docker.dataDocker); + alert.data = {}; + alert.data = dataDocker.data; + alert.rule = dataDocker.rule; + } + + if (params.mitre) { + alert.rule = randomArrayItem(Mitre.arrayMitreRules); + alert.location = randomArrayItem(Mitre.arrayLocation); + } + + if (params.openscap) { + alert.data = {}; + alert.data.oscap = {}; + const typeAlert = { ...randomArrayItem(OpenSCAP.data) }; + alert.data = { ...typeAlert.data }; + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(2, 10); + alert.input = { + type: 'log', + }; + alert.decoder = { ...OpenSCAP.decoder }; + alert.location = OpenSCAP.location; + if (typeAlert.full_log) { + alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); } + } + + if (params.rootcheck) { + alert.location = PolicyMonitoring.location; + alert.decoder = { ...PolicyMonitoring.decoder }; + alert.input = { + type: 'log', + }; + + const alertCategory = randomArrayItem(['Rootkit', 'Trojan']); - if (params.vulnerabilities) { - const dataVulnerability = randomArrayItem(Vulnerability.data); - alert.rule = { - ...dataVulnerability.rule, - mail: false, - groups: ['vulnerability-detector'], - gdpr: ['IV_35.7.d'], - pci_dss: ['11.2.1', '11.2.3'], - tsc: ["CC7.1","CC7.2"] + switch (alertCategory) { + case 'Rootkit': { + const rootkitCategory = randomArrayItem(Object.keys(PolicyMonitoring.rootkits)); + const rootkit = randomArrayItem(PolicyMonitoring.rootkits[rootkitCategory]); + alert.data = { + title: interpolateAlertProps(PolicyMonitoring.rootkitsData.data.title, alert, { + _rootkit_category: rootkitCategory, + _rootkit_file: rootkit, + }), }; - alert.location = 'vulnerability-detector'; - alert.decoder = { name: 'json' }; + alert.rule = { ...PolicyMonitoring.rootkitsData.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 10); + alert.full_log = alert.data.title; + break; + } + case 'Trojan': { + const trojan = randomArrayItem(PolicyMonitoring.trojans); alert.data = { - ...dataVulnerability.data + file: trojan.file, + title: 'Trojaned version of file detected.', }; + alert.rule = { ...PolicyMonitoring.trojansData.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 10); + alert.full_log = interpolateAlertProps(PolicyMonitoring.trojansData.full_log, alert, { + _trojan_signature: trojan.signature, + }); + break; + } + default: { + } } - - if (params.osquery) { - alert.rule.groups.push("osquery"); - alert.data.osquery = {}; - if(randomIntervalInteger(0, 5) === 0) { - alert.rule.description = 'osquery error message'; - } else { - let dataOsquery = randomArrayItem(Osquery.dataOsquery); - alert.data.osquery = dataOsquery.osquery; - alert.data.osquery.calendarTime = alert.timestamp; - alert.rule.description = dataOsquery.rule.description; - (randomIntervalInteger(0, 99) === 0) ? alert.data.osquery.action = 'removed': null; - } - } + } - // Regulatory compliance - if (params.pci_dss || params.regulatory_compliance || (params.random_probability_regulatory_compliance && randomProbability(params.random_probability_regulatory_compliance))) { - alert.rule.pci_dss = [randomArrayItem(PCI_DSS)]; - } - if (params.gdpr || params.regulatory_compliance || (params.random_probability_regulatory_compliance && randomProbability(params.random_probability_regulatory_compliance))) { - alert.rule.gdpr = [randomArrayItem(GDPR)]; - } - if (params.gpg13 || params.regulatory_compliance || (params.random_probability_regulatory_compliance && randomProbability(params.random_probability_regulatory_compliance))) { - alert.rule.gpg13 = [randomArrayItem(GPG13)]; + if (params.syscheck) { + alert.rule.groups.push('syscheck'); + alert.syscheck = {}; + alert.syscheck.event = randomArrayItem(IntegrityMonitoring.events); + alert.syscheck.path = randomArrayItem( + alert.agent.name === 'Windows' + ? IntegrityMonitoring.pathsWindows + : IntegrityMonitoring.pathsLinux + ); + alert.syscheck.uname_after = randomArrayItem(Users); + alert.syscheck.gname_after = 'root'; + alert.syscheck.mtime_after = new Date(randomDate()); + alert.syscheck.size_after = randomIntervalInteger(0, 65); + alert.syscheck.uid_after = randomArrayItem(IntegrityMonitoring.uid_after); + alert.syscheck.gid_after = randomArrayItem(IntegrityMonitoring.gid_after); + alert.syscheck.perm_after = 'rw-r--r--'; + alert.syscheck.inode_after = randomIntervalInteger(0, 100000); + switch (alert.syscheck.event) { + case 'added': + alert.rule = IntegrityMonitoring.regulatory[0]; + break; + case 'modified': + alert.rule = IntegrityMonitoring.regulatory[1]; + alert.syscheck.mtime_before = new Date(alert.syscheck.mtime_after.getTime() - 1000 * 60); + alert.syscheck.inode_before = randomIntervalInteger(0, 100000); + alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); + alert.syscheck.changed_attributes = [randomArrayItem(IntegrityMonitoring.attributes)]; + alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); + alert.syscheck.sha256_after = randomElements(60, 'abcdef0123456789'); + break; + case 'deleted': + alert.rule = IntegrityMonitoring.regulatory[2]; + alert.syscheck.tags = [randomArrayItem(IntegrityMonitoring.tags)]; + alert.syscheck.sha1_after = randomElements(40, 'abcdef0123456789'); + alert.syscheck.audit = { + process: { + name: randomArrayItem(Paths), + id: randomIntervalInteger(0, 100000), + ppid: randomIntervalInteger(0, 100000), + }, + effective_user: { + name: randomArrayItem(Users), + id: randomIntervalInteger(0, 100), + }, + user: { + name: randomArrayItem(Users), + id: randomIntervalInteger(0, 100), + }, + group: { + name: randomArrayItem(Users), + id: randomIntervalInteger(0, 100), + }, + }; + alert.syscheck.md5_after = randomElements(32, 'abcdef0123456789'); + alert.syscheck.sha256_after = randomElements(60, 'abcdef0123456789'); + break; + default: { + } } - if (params.hipaa || params.regulatory_compliance || (params.random_probability_regulatory_compliance && randomIntervalInteger(params.random_probability_regulatory_compliance))) { - alert.rule.hipaa = [randomArrayItem(HIPAA)]; + } + + if (params.virustotal) { + alert.rule.groups.push('virustotal'); + alert.location = 'virustotal'; + alert.data.virustotal = {}; + alert.data.virustotal.found = randomArrayItem(['0', '1', '1', '1']); + + alert.data.virustotal.source = { + sha1: randomElements(40, 'abcdef0123456789'), + file: randomArrayItem(Virustotal.sourceFile), + alert_id: `${randomElements(10, '0123456789')}.${randomElements(7, '0123456789')}`, + md5: randomElements(32, 'abcdef0123456789'), + }; + + if (alert.data.virustotal.found === '1') { + alert.data.virustotal.malicious = randomArrayItem(Virustotal.malicious); + alert.data.virustotal.positives = `${randomIntervalInteger(0, 65)}`; + alert.data.virustotal.total = + alert.data.virustotal.malicious + alert.data.virustotal.positives; + alert.rule.description = `VirusTotal: Alert - ${alert.data.virustotal.source.file} - ${alert.data.virustotal.positives} engines detected this file`; + alert.data.virustotal.permalink = randomArrayItem(Virustotal.permalink); + alert.data.virustotal.scan_date = new Date(Date.parse(alert.timestamp) - 4 * 60000); + } else { + alert.data.virustotal.malicious = '0'; + alert.rule.description = 'VirusTotal: Alert - No records in VirusTotal database'; } - if (params.nist_800_83 || params.regulatory_compliance || (params.random_probability_regulatory_compliance && randomIntervalInteger(params.random_probability_regulatory_compliance))) { - alert.rule.nist_800_53 = [randomArrayItem(NIST_800_53)]; + } + + if (params.vulnerabilities) { + const dataVulnerability = randomArrayItem(Vulnerability.data); + alert.rule = { + ...dataVulnerability.rule, + mail: false, + groups: ['vulnerability-detector'], + gdpr: ['IV_35.7.d'], + pci_dss: ['11.2.1', '11.2.3'], + tsc: ['CC7.1', 'CC7.2'], + }; + alert.location = 'vulnerability-detector'; + alert.decoder = { name: 'json' }; + alert.data = { + ...dataVulnerability.data, + }; + } + + if (params.osquery) { + alert.rule.groups.push('osquery'); + alert.data.osquery = {}; + if (randomIntervalInteger(0, 5) === 0) { + alert.rule.description = 'osquery error message'; + } else { + let dataOsquery = randomArrayItem(Osquery.dataOsquery); + alert.data.osquery = dataOsquery.osquery; + alert.data.osquery.calendarTime = alert.timestamp; + alert.rule.description = dataOsquery.rule.description; + randomIntervalInteger(0, 99) === 0 ? (alert.data.osquery.action = 'removed') : null; } + } + + // Regulatory compliance + if ( + params.pci_dss || + params.regulatory_compliance || + (params.random_probability_regulatory_compliance && + randomProbability(params.random_probability_regulatory_compliance)) + ) { + alert.rule.pci_dss = [randomArrayItem(PCI_DSS)]; + } + if ( + params.gdpr || + params.regulatory_compliance || + (params.random_probability_regulatory_compliance && + randomProbability(params.random_probability_regulatory_compliance)) + ) { + alert.rule.gdpr = [randomArrayItem(GDPR)]; + } + if ( + params.gpg13 || + params.regulatory_compliance || + (params.random_probability_regulatory_compliance && + randomProbability(params.random_probability_regulatory_compliance)) + ) { + alert.rule.gpg13 = [randomArrayItem(GPG13)]; + } + if ( + params.hipaa || + params.regulatory_compliance || + (params.random_probability_regulatory_compliance && + randomIntervalInteger(params.random_probability_regulatory_compliance)) + ) { + alert.rule.hipaa = [randomArrayItem(HIPAA)]; + } + if ( + params.nist_800_83 || + params.regulatory_compliance || + (params.random_probability_regulatory_compliance && + randomIntervalInteger(params.random_probability_regulatory_compliance)) + ) { + alert.rule.nist_800_53 = [randomArrayItem(NIST_800_53)]; + } + + if (params.authentication) { + alert.data = { + srcip: randomArrayItem(IPs), + srcuser: randomArrayItem(Users), + srcport: randomArrayItem(Ports), + }; + alert.GeoLocation = randomArrayItem(GeoLocation); + alert.decoder = { + name: 'sshd', + parent: 'sshd', + }; + alert.input = { + type: 'log', + }; + alert.predecoder = { + program_name: 'sshd', + timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), + hostname: alert.manager.name, + }; + let typeAlert = randomArrayItem([ + 'invalidLoginPassword', + 'invalidLoginUser', + 'multipleAuthenticationFailures', + 'windowsInvalidLoginPassword', + 'userLoginFailed', + 'passwordCheckFailed', + 'nonExistentUser', + 'bruteForceTryingAccessSystem', + 'authenticationSuccess', + 'maximumAuthenticationAttemptsExceeded', + ]); - if (params.authentication) { + switch (typeAlert) { + case 'invalidLoginPassword': { + alert.location = Authentication.invalidLoginPassword.location; + alert.rule = { ...Authentication.invalidLoginPassword.rule }; + alert.rule.groups = [...Authentication.invalidLoginPassword.rule.groups]; + alert.full_log = interpolateAlertProps(Authentication.invalidLoginPassword.full_log, alert); + break; + } + case 'invalidLoginUser': { + alert.location = Authentication.invalidLoginUser.location; + alert.rule = { ...Authentication.invalidLoginUser.rule }; + alert.rule.groups = [...Authentication.invalidLoginUser.rule.groups]; + alert.full_log = interpolateAlertProps(Authentication.invalidLoginUser.full_log, alert); + break; + } + case 'multipleAuthenticationFailures': { + alert.location = Authentication.multipleAuthenticationFailures.location; + alert.rule = { ...Authentication.multipleAuthenticationFailures.rule }; + alert.rule.groups = [...Authentication.multipleAuthenticationFailures.rule.groups]; + alert.rule.frequency = randomIntervalInteger(5, 50); + alert.full_log = interpolateAlertProps( + Authentication.multipleAuthenticationFailures.full_log, + alert + ); + break; + } + case 'windowsInvalidLoginPassword': { + alert.location = Authentication.windowsInvalidLoginPassword.location; + alert.rule = { ...Authentication.windowsInvalidLoginPassword.rule }; + alert.rule.groups = [...Authentication.windowsInvalidLoginPassword.rule.groups]; + alert.rule.frequency = randomIntervalInteger(5, 50); + alert.data.win = { ...Authentication.windowsInvalidLoginPassword.data_win }; + alert.data.win.eventdata.ipAddress = randomArrayItem(IPs); + alert.data.win.eventdata.ipPort = randomArrayItem(Ports); + alert.data.win.system.computer = randomArrayItem(Win_Hostnames); + alert.data.win.system.eventID = `${randomIntervalInteger(1, 600)}`; + alert.data.win.system.eventRecordID = `${randomIntervalInteger(10000, 50000)}`; + alert.data.win.system.processID = `${randomIntervalInteger(1, 1200)}`; + alert.data.win.system.systemTime = alert.timestamp; + alert.data.win.system.processID = `${randomIntervalInteger(1, 1200)}`; + alert.data.win.system.task = `${randomIntervalInteger(1, 1800)}`; + alert.data.win.system.threadID = `${randomIntervalInteger(1, 500)}`; + alert.full_log = interpolateAlertProps( + Authentication.windowsInvalidLoginPassword.full_log, + alert + ); + break; + } + case 'userLoginFailed': { + alert.location = Authentication.userLoginFailed.location; + alert.rule = { ...Authentication.userLoginFailed.rule }; + alert.rule.groups = [...Authentication.userLoginFailed.rule.groups]; alert.data = { - srcip: randomArrayItem(IPs), - srcuser: randomArrayItem(Users), - srcport: randomArrayItem(Ports) - }; - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.decoder = { - name: 'sshd', - parent: 'sshd' - }; - alert.input = { - type: 'log' + srcip: randomArrayItem(IPs), + dstuser: randomArrayItem(Users), + uid: `${randomIntervalInteger(0, 50)}`, + euid: `${randomIntervalInteger(0, 50)}`, + tty: 'ssh', }; - alert.predecoder = { - program_name: 'sshd', - timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), - hostname: alert.manager.name + alert.decoder = { ...Authentication.userLoginFailed.decoder }; + alert.full_log = interpolateAlertProps(Authentication.userLoginFailed.full_log, alert); + break; + } + case 'passwordCheckFailed': { + alert.location = Authentication.passwordCheckFailed.location; + alert.rule = { ...Authentication.passwordCheckFailed.rule }; + alert.rule.groups = [...Authentication.passwordCheckFailed.rule.groups]; + alert.data = { + srcuser: randomArrayItem(Users), }; - let typeAlert = randomArrayItem(['invalidLoginPassword','invalidLoginUser', 'multipleAuthenticationFailures','windowsInvalidLoginPassword','userLoginFailed', 'passwordCheckFailed', 'nonExistentUser', 'bruteForceTryingAccessSystem', 'authenticationSuccess', 'maximumAuthenticationAttemptsExceeded']); - - switch (typeAlert){ - case 'invalidLoginPassword':{ - alert.location = Authentication.invalidLoginPassword.location; - alert.rule = {...Authentication.invalidLoginPassword.rule}; - alert.rule.groups = [...Authentication.invalidLoginPassword.rule.groups]; - alert.full_log = interpolateAlertProps(Authentication.invalidLoginPassword.full_log, alert); - break - } - case 'invalidLoginUser':{ - alert.location = Authentication.invalidLoginUser.location; - alert.rule = {...Authentication.invalidLoginUser.rule}; - alert.rule.groups = [...Authentication.invalidLoginUser.rule.groups]; - alert.full_log = interpolateAlertProps(Authentication.invalidLoginUser.full_log, alert); - break - } - case 'multipleAuthenticationFailures':{ - alert.location = Authentication.multipleAuthenticationFailures.location; - alert.rule = {...Authentication.multipleAuthenticationFailures.rule}; - alert.rule.groups = [...Authentication.multipleAuthenticationFailures.rule.groups]; - alert.rule.frequency = randomIntervalInteger(5,50); - alert.full_log = interpolateAlertProps(Authentication.multipleAuthenticationFailures.full_log, alert); - break - } - case 'windowsInvalidLoginPassword':{ - alert.location = Authentication.windowsInvalidLoginPassword.location; - alert.rule = {...Authentication.windowsInvalidLoginPassword.rule }; - alert.rule.groups = [...Authentication.windowsInvalidLoginPassword.rule.groups]; - alert.rule.frequency = randomIntervalInteger(5,50); - alert.data.win = {...Authentication.windowsInvalidLoginPassword.data_win}; - alert.data.win.eventdata.ipAddress = randomArrayItem(IPs); - alert.data.win.eventdata.ipPort = randomArrayItem(Ports); - alert.data.win.system.computer = randomArrayItem(Win_Hostnames); - alert.data.win.system.eventID = `${randomIntervalInteger(1,600)}`; - alert.data.win.system.eventRecordID = `${randomIntervalInteger(10000,50000)}`; - alert.data.win.system.processID = `${randomIntervalInteger(1,1200)}`; - alert.data.win.system.systemTime = alert.timestamp; - alert.data.win.system.processID = `${randomIntervalInteger(1,1200)}`; - alert.data.win.system.task = `${randomIntervalInteger(1,1800)}`; - alert.data.win.system.threadID = `${randomIntervalInteger(1,500)}`; - alert.full_log = interpolateAlertProps(Authentication.windowsInvalidLoginPassword.full_log, alert); - break - } - case 'userLoginFailed':{ - alert.location = Authentication.userLoginFailed.location; - alert.rule = {...Authentication.userLoginFailed.rule}; - alert.rule.groups = [...Authentication.userLoginFailed.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs), - dstuser: randomArrayItem(Users), - uid: `${randomIntervalInteger(0,50)}`, - euid: `${randomIntervalInteger(0,50)}`, - tty: "ssh" - }; - alert.decoder = {...Authentication.userLoginFailed.decoder} - alert.full_log = interpolateAlertProps(Authentication.userLoginFailed.full_log, alert); - break - } - case 'passwordCheckFailed':{ - alert.location = Authentication.passwordCheckFailed.location; - alert.rule = {...Authentication.passwordCheckFailed.rule}; - alert.rule.groups = [...Authentication.passwordCheckFailed.rule.groups]; - alert.data = { - srcuser: randomArrayItem(Users) - }; - alert.predecoder.program_name = "unix_chkpwd"; - alert.decoder = {...Authentication.passwordCheckFailed.decoder}; - alert.full_log = interpolateAlertProps(Authentication.passwordCheckFailed.full_log, alert); - break - } - case 'nonExistentUser':{ - alert.location = Authentication.nonExistentUser.location; - alert.rule = {...Authentication.nonExistentUser.rule}; - alert.rule.groups = [...Authentication.nonExistentUser.rule.groups]; - alert.full_log = interpolateAlertProps(Authentication.nonExistentUser.full_log, alert); - break - } - case 'bruteForceTryingAccessSystem':{ - alert.location = Authentication.bruteForceTryingAccessSystem.location; - alert.rule = {...Authentication.bruteForceTryingAccessSystem.rule}; - alert.rule.groups = [...Authentication.bruteForceTryingAccessSystem.rule.groups]; - alert.full_log = interpolateAlertProps(Authentication.bruteForceTryingAccessSystem.full_log, alert); - break - } - case 'reverseLoockupError':{ - alert.location = Authentication.reverseLoockupError.location; - alert.rule = {...Authentication.reverseLoockupError.rule}; - alert.rule.groups = [...Authentication.reverseLoockupError.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs) - }; - alert.full_log = interpolateAlertProps(Authentication.reverseLoockupError.full_log, alert); - } - case 'insecureConnectionAttempt':{ - alert.location = Authentication.insecureConnectionAttempt.location; - alert.rule = {...Authentication.insecureConnectionAttempt.rule}; - alert.rule.groups = [...Authentication.insecureConnectionAttempt.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - }; - alert.full_log = interpolateAlertProps(Authentication.insecureConnectionAttempt.full_log, alert); - } - case 'authenticationSuccess':{ - alert.location = Authentication.authenticationSuccess.location; - alert.rule = {...Authentication.authenticationSuccess.rule}; - alert.rule.groups = [...Authentication.authenticationSuccess.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - dstuser: randomArrayItem(Users) - }; - alert.full_log = interpolateAlertProps(Authentication.authenticationSuccess.full_log, alert); - } - case 'maximumAuthenticationAttemptsExceeded':{ - alert.location = Authentication.maximumAuthenticationAttemptsExceeded.location; - alert.rule = {...Authentication.maximumAuthenticationAttemptsExceeded.rule}; - alert.rule.groups = [...Authentication.maximumAuthenticationAttemptsExceeded.rule.groups]; - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - dstuser: randomArrayItem(Users) - }; - alert.full_log = interpolateAlertProps(Authentication.maximumAuthenticationAttemptsExceeded.full_log, alert); - } - default: {} - } - alert.rule.firedtimes = randomIntervalInteger(2,15); - alert.rule.tsc = [randomArrayItem(tsc)]; - } - - if( params.ssh ){ + alert.predecoder.program_name = 'unix_chkpwd'; + alert.decoder = { ...Authentication.passwordCheckFailed.decoder }; + alert.full_log = interpolateAlertProps(Authentication.passwordCheckFailed.full_log, alert); + break; + } + case 'nonExistentUser': { + alert.location = Authentication.nonExistentUser.location; + alert.rule = { ...Authentication.nonExistentUser.rule }; + alert.rule.groups = [...Authentication.nonExistentUser.rule.groups]; + alert.full_log = interpolateAlertProps(Authentication.nonExistentUser.full_log, alert); + break; + } + case 'bruteForceTryingAccessSystem': { + alert.location = Authentication.bruteForceTryingAccessSystem.location; + alert.rule = { ...Authentication.bruteForceTryingAccessSystem.rule }; + alert.rule.groups = [...Authentication.bruteForceTryingAccessSystem.rule.groups]; + alert.full_log = interpolateAlertProps( + Authentication.bruteForceTryingAccessSystem.full_log, + alert + ); + break; + } + case 'reverseLoockupError': { + alert.location = Authentication.reverseLoockupError.location; + alert.rule = { ...Authentication.reverseLoockupError.rule }; + alert.rule.groups = [...Authentication.reverseLoockupError.rule.groups]; alert.data = { - srcip: randomArrayItem(IPs), - srcuser: randomArrayItem(Users), - srcport: randomArrayItem(Ports) + srcip: randomArrayItem(IPs), }; - alert.GeoLocation = randomArrayItem(GeoLocation); - alert.decoder = { - name: 'sshd', - parent: 'sshd' + alert.full_log = interpolateAlertProps(Authentication.reverseLoockupError.full_log, alert); + } + case 'insecureConnectionAttempt': { + alert.location = Authentication.insecureConnectionAttempt.location; + alert.rule = { ...Authentication.insecureConnectionAttempt.rule }; + alert.rule.groups = [...Authentication.insecureConnectionAttempt.rule.groups]; + alert.data = { + srcip: randomArrayItem(IPs), + srcport: randomArrayItem(Ports), }; - alert.input = { - type: 'log' + alert.full_log = interpolateAlertProps( + Authentication.insecureConnectionAttempt.full_log, + alert + ); + } + case 'authenticationSuccess': { + alert.location = Authentication.authenticationSuccess.location; + alert.rule = { ...Authentication.authenticationSuccess.rule }; + alert.rule.groups = [...Authentication.authenticationSuccess.rule.groups]; + alert.data = { + srcip: randomArrayItem(IPs), + srcport: randomArrayItem(Ports), + dstuser: randomArrayItem(Users), }; - alert.predecoder = { - program_name: 'sshd', - timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), - hostname: alert.manager.name + alert.full_log = interpolateAlertProps( + Authentication.authenticationSuccess.full_log, + alert + ); + } + case 'maximumAuthenticationAttemptsExceeded': { + alert.location = Authentication.maximumAuthenticationAttemptsExceeded.location; + alert.rule = { ...Authentication.maximumAuthenticationAttemptsExceeded.rule }; + alert.rule.groups = [...Authentication.maximumAuthenticationAttemptsExceeded.rule.groups]; + alert.data = { + srcip: randomArrayItem(IPs), + srcport: randomArrayItem(Ports), + dstuser: randomArrayItem(Users), }; - const typeAlert = randomArrayItem(SSH.data); - alert.location = typeAlert.location; - alert.rule = {...typeAlert.rule}; - alert.rule.groups = [...typeAlert.rule.groups]; - alert.rule.firedtimes = randomIntervalInteger(1,15); - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); - + alert.full_log = interpolateAlertProps( + Authentication.maximumAuthenticationAttemptsExceeded.full_log, + alert + ); + } + default: { + } } + alert.rule.firedtimes = randomIntervalInteger(2, 15); + alert.rule.tsc = [randomArrayItem(tsc)]; + } - if ( params.windows ){ - alert.rule.groups.push('windows'); - if(params.windows.service_control_manager){ - alert.predecoder = { - program_name: 'WinEvtLog', - timestamp: '2020 Apr 17 05:59:05' - }; - alert.input = { - type: 'log' - }; - alert.data = { - extra_data: 'Service Control Manager', - dstuser: 'SYSTEM', - system_name: randomArrayItem(Win_Hostnames), - id: '7040', - type: 'type', - status: 'INFORMATION' - } - alert.rule.description = 'Windows: Service startup type was changed.' - alert.rule.firedtimes = randomIntervalInteger(1,20); - alert.rule.mail = false - alert.rule.level = 3; - alert.rule.groups.push('windows', 'policy_changed'); - alert.rule.pci = ['10.6']; - alert.rule.hipaa = ['164.312.b']; - alert.rule.gdpr = ['IV_35.7.d']; - alert.rule.nist_800_53 = ['AU.6']; - alert.rule.info = 'This does not appear to be logged on Windows 2000.'; - alert.location = 'WinEvtLog'; - alert.decoder = { - parent: 'windows', - name: 'windows' - } - alert.full_log = `2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: ${alert.data.system_name}: Background Intelligent Transfer Service auto start demand start BITS ` //TODO: date - alert.id = 18145; - alert.fields = { - timestamp: alert.timestamp - }; - } - } + if (params.ssh) { + alert.data = { + srcip: randomArrayItem(IPs), + srcuser: randomArrayItem(Users), + srcport: randomArrayItem(Ports), + }; + alert.GeoLocation = randomArrayItem(GeoLocation); + alert.decoder = { + name: 'sshd', + parent: 'sshd', + }; + alert.input = { + type: 'log', + }; + alert.predecoder = { + program_name: 'sshd', + timestamp: formatDate(new Date(alert.timestamp), 'N D h:m:s'), + hostname: alert.manager.name, + }; + const typeAlert = randomArrayItem(SSH.data); + alert.location = typeAlert.location; + alert.rule = { ...typeAlert.rule }; + alert.rule.groups = [...typeAlert.rule.groups]; + alert.rule.firedtimes = randomIntervalInteger(1, 15); + alert.full_log = interpolateAlertProps(typeAlert.full_log, alert); + } - if ( params.apache ){ - const typeAlert = {...Apache.data[0]}; // there is only one type alert in data array at the moment. Randomize if add more type of alerts to data array - alert.data = { - srcip: randomArrayItem(IPs), - srcport: randomArrayItem(Ports), - id: `AH${randomIntervalInteger(10000,99999)}` - }; - alert.GeoLocation = {...randomArrayItem(GeoLocation)}; - alert.rule = {...typeAlert.rule }; - alert.rule.firedtimes = randomIntervalInteger(2,10); - alert.input = { type: 'log' }; - alert.location = Apache.location; - alert.decoder = {...Apache.decoder}; - - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { - _timestamp_apache: formatDate(new Date(alert.timestamp), 'E N D h:m:s.l Y'), - _pi_id: randomIntervalInteger(10000,30000) - }); + if (params.windows) { + alert.rule.groups.push('windows'); + if (params.windows.service_control_manager) { + alert.predecoder = { + program_name: 'WinEvtLog', + timestamp: '2020 Apr 17 05:59:05', + }; + alert.input = { + type: 'log', + }; + alert.data = { + extra_data: 'Service Control Manager', + dstuser: 'SYSTEM', + system_name: randomArrayItem(Win_Hostnames), + id: '7040', + type: 'type', + status: 'INFORMATION', + }; + alert.rule.description = 'Windows: Service startup type was changed.'; + alert.rule.firedtimes = randomIntervalInteger(1, 20); + alert.rule.mail = false; + alert.rule.level = 3; + alert.rule.groups.push('windows', 'policy_changed'); + alert.rule.pci = ['10.6']; + alert.rule.hipaa = ['164.312.b']; + alert.rule.gdpr = ['IV_35.7.d']; + alert.rule.nist_800_53 = ['AU.6']; + alert.rule.info = 'This does not appear to be logged on Windows 2000.'; + alert.location = 'WinEvtLog'; + alert.decoder = { + parent: 'windows', + name: 'windows', + }; + alert.full_log = `2020 Apr 17 05:59:05 WinEvtLog: type: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: ${alert.data.system_name}: Background Intelligent Transfer Service auto start demand start BITS `; //TODO: date + alert.id = 18145; + alert.fields = { + timestamp: alert.timestamp, + }; } + } - if ( params.web ){ - alert.input = { - type: 'log' - }; - alert.data = { - protocol: 'GET', - srcip: randomArrayItem(IPs), - id: '404', - url: randomArrayItem(Web.urls) - }; - alert.GeoLocation = {...randomArrayItem(GeoLocation)}; + if (params.apache) { + const typeAlert = { ...Apache.data[0] }; // there is only one type alert in data array at the moment. Randomize if add more type of alerts to data array + alert.data = { + srcip: randomArrayItem(IPs), + srcport: randomArrayItem(Ports), + id: `AH${randomIntervalInteger(10000, 99999)}`, + }; + alert.GeoLocation = { ...randomArrayItem(GeoLocation) }; + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(2, 10); + alert.input = { type: 'log' }; + alert.location = Apache.location; + alert.decoder = { ...Apache.decoder }; - const typeAlert = randomArrayItem(Web.data); - const userAgent = randomArrayItem(Web.userAgents) - alert.rule = {...typeAlert.rule}; - alert.rule.firedtimes = randomIntervalInteger(1,10); - alert.decoder = {...typeAlert.decoder}; - alert.location = typeAlert.location; - alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { + alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { + _timestamp_apache: formatDate(new Date(alert.timestamp), 'E N D h:m:s.l Y'), + _pi_id: randomIntervalInteger(10000, 30000), + }); + } + + if (params.web) { + alert.input = { + type: 'log', + }; + alert.data = { + protocol: 'GET', + srcip: randomArrayItem(IPs), + id: '404', + url: randomArrayItem(Web.urls), + }; + alert.GeoLocation = { ...randomArrayItem(GeoLocation) }; + + const typeAlert = randomArrayItem(Web.data); + const userAgent = randomArrayItem(Web.userAgents); + alert.rule = { ...typeAlert.rule }; + alert.rule.firedtimes = randomIntervalInteger(1, 10); + alert.decoder = { ...typeAlert.decoder }; + alert.location = typeAlert.location; + alert.full_log = interpolateAlertProps(typeAlert.full_log, alert, { + _user_agent: userAgent, + _date: formatDate(new Date(alert.timestamp), 'D/N/Y:h:m:s +0000'), + }); + if (typeAlert.previous_output) { + const previousOutput = []; + const beforeSeconds = 4; + for (let i = beforeSeconds; i > 0; i--) { + const beforeDate = new Date(new Date(alert.timestamp) - (2 + i) * 1000); + previousOutput.push( + interpolateAlertProps(typeAlert.full_log, alert, { _user_agent: userAgent, - _date: formatDate(new Date(alert.timestamp), 'D/N/Y:h:m:s +0000') - }); - if(typeAlert.previous_output){ - const previousOutput = [] - const beforeSeconds = 4 - for(let i = beforeSeconds; i > 0; i--){ - const beforeDate = new Date(new Date(alert.timestamp) - ((2+i)*1000)); - previousOutput.push( - interpolateAlertProps(typeAlert.full_log, alert, { - _user_agent: userAgent, - _date: formatDate(new Date(beforeDate), 'D/N/Y:h:m:s +0000') - }) - ) - } - alert.previous_output = previousOutput.join('\n'); - } + _date: formatDate(new Date(beforeDate), 'D/N/Y:h:m:s +0000'), + }) + ); + } + alert.previous_output = previousOutput.join('\n'); } - return alert; + } + return alert; } /** @@ -838,37 +921,37 @@ function generateAlert(params) { * @param {function} sort Funciton to seort elements * @return {*} Array with random values extracted of paramater array passed */ -function randomUniqueValuesFromArray(array, randomMaxRepetitions = 1, sort){ - const repetitions = randomIntervalInteger(1, randomMaxRepetitions); - const set = new Set(); - for (let i = 0; i < repetitions; i++) { - set.add(array[randomIntervalInteger(0, array.length - 1)]); - } - return sort ? Array.from(set).sort(sort) : Array.from(set) +function randomUniqueValuesFromArray(array, randomMaxRepetitions = 1, sort) { + const repetitions = randomIntervalInteger(1, randomMaxRepetitions); + const set = new Set(); + for (let i = 0; i < repetitions; i++) { + set.add(array[randomIntervalInteger(0, array.length - 1)]); + } + return sort ? Array.from(set).sort(sort) : Array.from(set); } /** - * Get a integer within a range + * Get a integer within a range * @param {number} min - Minimum limit * @param {number} max - Maximum limit * @returns {number} - Randomized number in interval */ function randomIntervalInteger(min, max) { - return Math.floor(Math.random() * (max - (min - 1))) + min; + return Math.floor(Math.random() * (max - (min - 1))) + min; } /** * Generate random alerts - * @param {*} params + * @param {*} params * @param {number} numAlerts - Define number of alerts * @return {*} - Random generated alerts defined with params */ function generateAlerts(params, numAlerts = 1) { - const alerts = []; - for (let i = 0; i < numAlerts; i++) { - alerts.push(generateAlert(params)); - } - return alerts; + const alerts = []; + for (let i = 0; i < numAlerts; i++) { + alerts.push(generateAlert(params)); + } + return alerts; } /** @@ -876,76 +959,90 @@ function generateAlerts(params, numAlerts = 1) { * @returns {date} - Random date in range (7 days ago - now) */ function randomDate(inf, sup) { + const nowTimestamp = Date.now(); + const time = randomIntervalInteger(0, 604800000); // Random 7 days in miliseconds - const nowTimestamp = Date.now(); - const time = randomIntervalInteger(0, 604800000); // Random 7 days in miliseconds - - const unix_timestamp = nowTimestamp - time; // Last 7 days from now + const unix_timestamp = nowTimestamp - time; // Last 7 days from now - const lastWeek = new Date(unix_timestamp); - return formatDate(lastWeek, 'Y-M-DTh:m:s.l+0000') + const lastWeek = new Date(unix_timestamp); + return formatDate(lastWeek, 'Y-M-DTh:m:s.l+0000'); } -const formatterNumber = (number, zeros = 0) => ("0".repeat(zeros) + `${number}`).slice(-zeros); +const formatterNumber = (number, zeros = 0) => ('0'.repeat(zeros) + `${number}`).slice(-zeros); const monthNames = { - long: ['January', 'February', 'March', 'April', 'May', 'June', 'July', 'August', 'September', 'October', 'November', 'December'], - short: ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'] + long: [ + 'January', + 'February', + 'March', + 'April', + 'May', + 'June', + 'July', + 'August', + 'September', + 'October', + 'November', + 'December', + ], + short: ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'], }; const dayNames = { - long: ['Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday'], - short: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'] + long: ['Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday'], + short: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'], }; -function formatDate(date, format){ // It could use "moment" library to format strings too - const tokens = { - 'D': (d) => formatterNumber(d.getDate(), 2), // 01-31 - 'A': (d) => dayNames.long[d.getDay()], // 'Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday' - 'E': (d) => dayNames.short[d.getDay()], // 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' - 'M': (d) => formatterNumber(d.getMonth() + 1, 2), // 01-12 - 'J': (d) => monthNames.long[d.getMonth()], // 'January', 'February', 'March', 'April', 'May', 'June', 'July', 'August', 'September', 'October', 'November', 'December' - 'N': (d) => monthNames.short[d.getMonth()], // 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' - 'Y': (d) => d.getFullYear(), // 2020 - 'h': (d) => formatterNumber(d.getHours(), 2), // 00-23 - 'm': (d) => formatterNumber(d.getMinutes(), 2), // 00-59 - 's': (d) => formatterNumber(d.getSeconds(), 2), // 00-59 - 'l': (d) => formatterNumber(d.getMilliseconds(), 3) // 000-999 - } +function formatDate(date, format) { + // It could use "moment" library to format strings too + const tokens = { + D: d => formatterNumber(d.getDate(), 2), // 01-31 + A: d => dayNames.long[d.getDay()], // 'Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday' + E: d => dayNames.short[d.getDay()], // 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat' + M: d => formatterNumber(d.getMonth() + 1, 2), // 01-12 + J: d => monthNames.long[d.getMonth()], // 'January', 'February', 'March', 'April', 'May', 'June', 'July', 'August', 'September', 'October', 'November', 'December' + N: d => monthNames.short[d.getMonth()], // 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' + Y: d => d.getFullYear(), // 2020 + h: d => formatterNumber(d.getHours(), 2), // 00-23 + m: d => formatterNumber(d.getMinutes(), 2), // 00-59 + s: d => formatterNumber(d.getSeconds(), 2), // 00-59 + l: d => formatterNumber(d.getMilliseconds(), 3), // 000-999 + }; - return format.split('').reduce((accum, token) => { - if(tokens[token]){ - return accum + tokens[token](date) - } - return accum + token - },'') + return format.split('').reduce((accum, token) => { + if (tokens[token]) { + return accum + tokens[token](date); + } + return accum + token; + }, ''); } /** - * + * * @param {string} str String with interpolations * @param {*} alert Alert object * @param {*} extra Extra parameters to interpolate what aren't in alert objet. Only admit one level of depth */ -function interpolateAlertProps(str, alert, extra = {}){ - const matches = str.match(/{([\w\._]+)}/g); - return (matches && matches.reduce((accum, cur) => { - const match = cur.match(/{([\w\._]+)}/); - const items = match[1].split('.'); - const value = items.reduce((a,c) => (a && a[c]) || extra[c] || undefined, alert) || cur; - return accum.replace(cur,value); - }, str)) || str +function interpolateAlertProps(str, alert, extra = {}) { + const matches = str.match(/{([\w\._]+)}/g); + return ( + (matches && + matches.reduce((accum, cur) => { + const match = cur.match(/{([\w\._]+)}/); + const items = match[1].split('.'); + const value = items.reduce((a, c) => (a && a[c]) || extra[c] || undefined, alert) || cur; + return accum.replace(cur, value); + }, str)) || + str + ); } /** * Return a random probability - * @param {number} probability - * @param {number[=100]} maximum + * @param {number} probability + * @param {number[=100]} maximum */ -function randomProbability(probability, maximum = 100){ - return randomIntervalInteger(0,maximum) <= probability +function randomProbability(probability, maximum = 100) { + return randomIntervalInteger(0, maximum) <= probability; } -export { - generateAlert, - generateAlerts -}; \ No newline at end of file +export { generateAlert, generateAlerts }; diff --git a/server/lib/generate-alerts/sample-data/authentication.js b/server/lib/generate-alerts/sample-data/authentication.js index ced026043e..ea02ab4ced 100644 --- a/server/lib/generate-alerts/sample-data/authentication.js +++ b/server/lib/generate-alerts/sample-data/authentication.js @@ -10,17 +10,18 @@ * Find more information about this on the LICENSE file. */ - export const invalidLoginPassword = { +export const invalidLoginPassword = { decoder: { - parent: "sshd", - name: "sshd" + parent: 'sshd', + name: 'sshd', }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[5330]: Failed password for {data.srcuser} from {data.srcip} port {data.srcport} ssh2", - location: "/var/log/auth.log", + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[5330]: Failed password for {data.srcuser} from {data.srcip} port {data.srcport} ssh2', + location: '/var/log/auth.log', predecoder: { - program_name: "sshd", - timestamp: "Apr 17 00:17:52", - hostname: "ip-10-0-1-50" + program_name: 'sshd', + timestamp: 'Apr 17 00:17:52', + hostname: 'ip-10-0-1-50', }, rule: { description: 'sshd: authentication failed.', @@ -28,43 +29,44 @@ id: 5716, level: 5, mail: false, - pci_dss: ["10.2.4", "10.2.5"], - gpg13: ["7.1"], - gdpr: ["IV_35.7.d", "IV_32.2"], - hipaa: ["164.312.b"], - nist_800_53: ["AU.14", "AC.7"] - } + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + }, }; export const invalidLoginUser = { decoder: { - parent: "sshd", - name: "sshd" + parent: 'sshd', + name: 'sshd', }, - full_log: '{predecoder.timestamp} {predecoder.hostname} sshd[10022]: Invalid user {data.srcuser} from {data.srcuser} from {data.srcip} port {data.srcport} ssh2', + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[10022]: Invalid user {data.srcuser} from {data.srcuser} from {data.srcip} port {data.srcport} ssh2', location: '/var/log/secure', predecoder: { - program_name: "sshd", - timestamp: "Apr 17 00:17:52", - hostname: "ip-10-0-1-50" + program_name: 'sshd', + timestamp: 'Apr 17 00:17:52', + hostname: 'ip-10-0-1-50', }, rule: { description: 'sshd: Attempt to login using a non-existent user', groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], id: 5710, level: 5, - pci_dss: ["10.2.4","10.2.5","10.6.1"], - gpg13:["7.1"], - gdpr: ["IV_35.7.d","IV_32.2"], - hipaa:["164.312.b"], - nist_800_53:["AU.14","AC.7","AU.6"] - } + pci_dss: ['10.2.4', '10.2.5', '10.6.1'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'AU.6'], + }, }; export const multipleAuthenticationFailures = { decoder: { - parent: "sshd", - name: "sshd" + parent: 'sshd', + name: 'sshd', }, full_log: `{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2`, location: '/var/log/secure', @@ -74,176 +76,181 @@ export const multipleAuthenticationFailures = { level: 10, frequency: 8, groups: ['syslog', 'sshd', 'authentication_failures'], - pci_dss: ["10.2.4","10.2.5","11.4"], - gpg13: ["7.1"], - gdpr: ["IV_35.7.d","IV_32.2"], - hipaa: ["164.312.b"], - nist_800_53: ["AU.14","AC.7","SI.4"] + pci_dss: ['10.2.4', '10.2.5', '11.4'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'SI.4'], }, predecoder: { - program_name: "sshd", - timestamp: "Apr 17 00:17:52", - hostname: "ip-10-0-1-50" - } + program_name: 'sshd', + timestamp: 'Apr 17 00:17:52', + hostname: 'ip-10-0-1-50', + }, }; export const windowsInvalidLoginPassword = { full_log: `{predecoder.timestamp} {predecoder.hostname} sshd[5413]: Failed password for invalid user {data.srcuser} from {data.srcip} port {data.srcport} ssh2`, data_win: { eventdata: { - authenticationPackageName: 'NTLM', - failureReason: '%%2313', - keyLength: 0, - logonProcessName: 'NtLmSsp', - logonType: '3', - processId: '0x0', - status: '0xc000006d', - subStatus: '0xc0000064', - subjectLogonId: '0x0', - subjectUserSid: "S-1-0-0", - targetUserName: "DIRECTION" + authenticationPackageName: 'NTLM', + failureReason: '%%2313', + keyLength: 0, + logonProcessName: 'NtLmSsp', + logonType: '3', + processId: '0x0', + status: '0xc000006d', + subStatus: '0xc0000064', + subjectLogonId: '0x0', + subjectUserSid: 'S-1-0-0', + targetUserName: 'DIRECTION', }, system: { - channel: 'Security', - keywords: '0x8010000000000000', - level: '0', - message: '', - opcode: '0', - providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', - providerName: 'Microsoft-Windows-Security-Auditing', - severityValue: 'AUDIT_FAILURE', - version: '0' - } + channel: 'Security', + keywords: '0x8010000000000000', + level: '0', + message: '', + opcode: '0', + providerGuid: '{54849625-5478-4994-a5ba-3e3b0328c30d}', + providerName: 'Microsoft-Windows-Security-Auditing', + severityValue: 'AUDIT_FAILURE', + version: '0', + }, }, decoder: { - parent: "sshd", - name: "windows_eventchannel" + parent: 'sshd', + name: 'windows_eventchannel', }, location: 'EventChannel', rule: { description: 'Logon Failure - Unknown user or bad password', - groups: ['windows', 'windows_security', 'win_authentication_failed'], + groups: ['windows', 'windows_security', 'win_authentication_failed'], id: 60122, level: 5, pci_dss: ['10.2.4', '10.2.5'], gpg13: ['7.1'], gdpr: ['IV_35.7.d', 'IV_32.2'], hipaa: ['164.312.b'], - nist_800_53: ['AU.1', 'AC.7'] - } -} + nist_800_53: ['AU.1', 'AC.7'], + }, +}; export const userLoginFailed = { - rule: { - id: "5556", + rule: { + id: 5503, level: 5, - description: "PAM: User login failed.", + description: 'PAM: User login failed.', mail: false, - groups: ["pam","syslog","authentication_failed"], - pci_dss:["10.2.4","10.2.5"], - gpg13: ["7.8"], - gdpr:["IV_35.7.d","IV_32.2"], - hipaa:["164.312.b"], - nist_800_53:["AU.14","AC.7"] + groups: ['pam', 'syslog', 'authentication_failed'], + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], }, - predecoder:{ - program_name: "sshd", - timestamp: "Apr 17 00:04:40", - hostname: "ip-10-0-1-178" + predecoder: { + program_name: 'sshd', + timestamp: 'Apr 17 00:04:40', + hostname: 'ip-10-0-1-178', }, - decoder:{ - name:"pam" + decoder: { + name: 'pam', }, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid={data.uid} euid={data.euid} tty={data.tty} ruser= rhost={data.srcip} user={data.dstuser}" + location: '/var/log/secure', + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[11294]: pam_unix(sshd:auth): authentication failure; logname= uid={data.uid} euid={data.euid} tty={data.tty} ruser= rhost={data.srcip} user={data.dstuser}', }; export const passwordCheckFailed = { rule: { level: 5, - description: "unix_chkpwd: Password check failed.", - id: "5557", + description: 'unix_chkpwd: Password check failed.', + id: '5557', mail: false, - groups: ["pam","syslog","authentication_failed"], - pci_dss:["10.2.4","10.2.5"], - gpg13:["4.3"], - gdpr:["IV_35.7.d","IV_32.2"], - hipaa:["164.312.b"], - nist_800_53:["AU.14","AC.7"] + groups: ['pam', 'syslog', 'authentication_failed'], + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['4.3'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], }, predecoder: { - program_name: "unix_chkpwd", - timestamp: "Apr 17 00:07:04", - hostname: "ip-10-0-1-132" + program_name: 'unix_chkpwd', + timestamp: 'Apr 17 00:07:04', + hostname: 'ip-10-0-1-132', }, decoder: { - name: "unix_chkpwd" + name: 'unix_chkpwd', }, - data: {srcuser: "root"}, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} {decoder.name}[29593]: password check failed for user ({data.srcuser})", + data: { srcuser: 'root' }, + location: '/var/log/secure', + full_log: + '{predecoder.timestamp} {predecoder.hostname} {decoder.name}[29593]: password check failed for user ({data.srcuser})', }; export const nonExistentUser = { rule: { mail: false, level: 5, - pci_dss: ["10.2.4","10.2.5","10.6.1"], - hipaa: ["164.312.b"], - description: "sshd: Attempt to login using a non-existent user", - groups: ["syslog","sshd","invalid_login","authentication_failed"], - id: "5710", - nist_800_53: ["AU.14","AC.7","AU.6"], - gpg13: ["7.1"], - gdpr: ["IV_35.7.d","IV_32.2"] + pci_dss: ['10.2.4', '10.2.5', '10.6.1'], + hipaa: ['164.312.b'], + description: 'sshd: Attempt to login using a non-existent user', + groups: ['syslog', 'sshd', 'invalid_login', 'authentication_failed'], + id: '5710', + nist_800_53: ['AU.14', 'AC.7', 'AU.6'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15724]: Invalid user {data.srcuser} from {data.srcip} port {data.srcport}", - location: "/var/log/secure" -} + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[15724]: Invalid user {data.srcuser} from {data.srcip} port {data.srcport}', + location: '/var/log/secure', +}; export const bruteForceTryingAccessSystem = { rule: { mail: false, level: 10, - pci_dss: ["11.4","10.2.4","10.2.5"], - hipaa: ["164.312.b"], - description: "sshd: brute force trying to get access to the system.", - groups: ["syslog","sshd","authentication_failures"], + pci_dss: ['11.4', '10.2.4', '10.2.5'], + hipaa: ['164.312.b'], + description: 'sshd: brute force trying to get access to the system.', + groups: ['syslog', 'sshd', 'authentication_failures'], mitre: { - tactic: ["Credential Access","Lateral Movement"], - technique: ["Brute Force","Remove Services"], - id: ["T1110","T1021"] + tactic: ['Credential Access', 'Lateral Movement'], + technique: ['Brute Force', 'Remove Services'], + id: ['T1110', 'T1021'], }, - id: "5712", - nist_800_53: ["SI.4","AU.14","AC.7"], + id: '5712', + nist_800_53: ['SI.4', 'AU.14', 'AC.7'], frequency: 8, - gdpr: ["IV_35.7.d","IV_32.2"] + gdpr: ['IV_35.7.d', 'IV_32.2'], }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[15722]: Invalid user {data.srcuser} from {data.srcip} port {data.srcport}", - location: "/var/log/secure" + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[15722]: Invalid user {data.srcuser} from {data.srcip} port {data.srcport}', + location: '/var/log/secure', }; export const authenticationSuccess = { data: { - srcip: "84.122.71.89", - dstuser: "ec2-user" + srcip: '84.122.71.89', + dstuser: 'ec2-user', }, - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[12727]: Accepted publickey for {data.dstuser} from {data.srcip} port {data.srcport} ssh2: RSA SHA256:ET29+nbiHqrKs1gUewWTFRCHWdO/vMoRQXPESWn8ZG4", + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[12727]: Accepted publickey for {data.dstuser} from {data.srcip} port {data.srcport} ssh2: RSA SHA256:ET29+nbiHqrKs1gUewWTFRCHWdO/vMoRQXPESWn8ZG4', input: { - type: "log" + type: 'log', }, - location: "/var/log/secure", + location: '/var/log/secure', rule: { mail: false, level: 3, - pci_dss: ["10.2.5"], - hipaa: ["164.312.b"], - description: "sshd: authentication success.", - groups: ["syslog","sshd","authentication_success"], - id: "5715", - nist_800_53: ["AU.14","AC.7"], - gpg13: ["7.1","7.2"], - gdpr: ["IV_32.2"] + pci_dss: ['10.2.5'], + hipaa: ['164.312.b'], + description: 'sshd: authentication success.', + groups: ['syslog', 'sshd', 'authentication_success'], + id: '5715', + nist_800_53: ['AU.14', 'AC.7'], + gpg13: ['7.1', '7.2'], + gdpr: ['IV_32.2'], }, }; @@ -251,16 +258,17 @@ export const maximumAuthenticationAttemptsExceeded = { rule: { mail: false, level: 8, - description: "Maximum authentication attempts exceeded.", - groups: ["syslog","sshd","authentication_failed"], + description: 'Maximum authentication attempts exceeded.', + groups: ['syslog', 'sshd', 'authentication_failed'], mitre: { - tactic: ["Credential Access","Lateral Movement"], - technique: ["Brute Force","Remove Services"], - id: ["T1110","T1021"] + tactic: ['Credential Access', 'Lateral Movement'], + technique: ['Brute Force', 'Remove Services'], + id: ['T1110', 'T1021'], }, - id: "5758", - gpg13: ["7.1"] + id: '5758', + gpg13: ['7.1'], }, - location: "/var/log/secure", - full_log: "{predecoder.timestamp} {predecoder.hostname} sshd[19767]: error: maximum authentication attempts exceeded for {data.dstuser} from {data.srcip} port {data.srcport} ssh2 [preauth]", -}; \ No newline at end of file + location: '/var/log/secure', + full_log: + '{predecoder.timestamp} {predecoder.hostname} sshd[19767]: error: maximum authentication attempts exceeded for {data.dstuser} from {data.srcip} port {data.srcport} ssh2 [preauth]', +}; diff --git a/server/lib/generate-alerts/sample-data/mitre.js b/server/lib/generate-alerts/sample-data/mitre.js index e22c76fd0d..c8daf485e1 100644 --- a/server/lib/generate-alerts/sample-data/mitre.js +++ b/server/lib/generate-alerts/sample-data/mitre.js @@ -11,411 +11,1777 @@ */ // Mitre -export const rule = [{ - "tactic": "Command and Control", - "rule": [ - {id: "T1001", technique: "Data Obfuscation" }, - {id: "T1008", technique: "Fallback Channels" }, - {id: "T1024", technique: "Custom Cryptographic Protocol" }, - {id: "T1026", technique: "Multiband Communication" }, - {id: "T1032", technique: "Standard Cryptographic Protocol" }, - {id: "T1043", technique: "Commonly Used Port" }, - {id: "T1065", technique: "Uncommonly Used Port" }, - {id: "T1071", technique: "Standard Application Layer Protocol" }, - {id: "T1079", technique: "Multilayer Encryption" }, - {id: "T1090", technique: "Connection Proxy" }, - {id: "T1092", technique: "Communication Through Removable Media" }, - {id: "T1094", technique: "Custom Command and Control Protocol" }, - {id: "T1095", technique: "Standard Non-Application Layer Protocol" }, - {id: "T1102", technique: "Web Service" }, - {id: "T1104", technique: "Multi-Stage Channels" }, - {id: "T1105", technique: "Remote File Copy" }, - {id: "T1132", technique: "Data Encoding" }, - {id: "T1172", technique: "Domain Fronting" }, - {id: "T1188", technique: "Multi-hop Proxy" }, - {id: "T1205", technique: "Port Knocking" }, - {id: "T1219", technique: "Remote Access Tools" }, - {id: "T1483", technique: "Domain Generation Algorithms" }, - ] - }, - { - "tactic": "Exfiltration", - "rule": [ - {id: "T1002", technique: "Data Compressed" }, - {id: "T1011", technique: "Exfiltration Over Other Network Medium" }, - {id: "T1020", technique: "Automated Exfiltration" }, - {id: "T1022", technique: "Data Encrypted" }, - {id: "T1029", technique: "Scheduled Transfer" }, - {id: "T1030", technique: "Data Transfer Size Limits" }, - {id: "T1041", technique: "Exfiltration Over Command and Control Channel" }, - {id: "T1048", technique: "Exfiltration Over Alternative Protocol" }, - {id: "T1052", technique: "Exfiltration Over Physical Medium" }, - {id: "T1537", technique: "Transfer Data to Cloud Account" }, - ] - }, - { - "tactic": "Credential Access", - "rule": [ - {id: "T1003", technique: "Credential Dumping" }, - {id: "T1040", technique: "Network Sniffing" }, - {id: "T1056", technique: "Input Capture" }, - {id: "T1081", technique: "Credentials in Files" }, - {id: "T1098", technique: "Account Manipulation" }, - {id: "T1110", technique: "Brute Force" }, - {id: "T1111", technique: "Two-Factor Authentication Interception" }, - {id: "T1139", technique: "Bash History" }, - {id: "T1141", technique: "Input Prompt" }, - {id: "T1142", technique: "Keychain" }, - {id: "T1145", technique: "Private Keys" }, - {id: "T1167", technique: "Securityd Memory" }, - {id: "T1171", technique: "LLMNR/NBT-NS Poisoning and Relay" }, - {id: "T1174", technique: "Password Filter DLL" }, - {id: "T1179", technique: "Hooking" }, - {id: "T1187", technique: "Forced Authentication" }, - {id: "T1208", technique: "Kerberoasting" }, - {id: "T1212", technique: "xploitation for Credential Access" }, - {id: "T1214", technique: "Credentials in Registry" }, - {id: "T1503", technique: "Credentials from Web Browsers" }, - {id: "T1522", technique: "Cloud Instance Metadata API" }, - {id: "T1528", technique: "Steal Application Access Token" }, - {id: "T1539", technique: "Steal Web Session Cookie" }, - ] - }, - { - "tactic": "Persistence", - "rule": [ - {id: "T1004", technique: "Winlogon Helper DLL" }, - {id: "T1013", technique: "Port Monitors" }, - {id: "T1015", technique: "Accessibility Features" }, - {id: "T1019", technique: "System Firmware" }, - {id: "T1023", technique: "Shortcut Modification" }, - {id: "T1031", technique: "Modify Existing Service" }, - {id: "T1034", technique: "Path Interception" }, - {id: "T1037", technique: "Logon Scripts" }, - {id: "T1038", technique: "DLL Search Order Hijacking" }, - {id: "T1042", technique: "Change Default File Association" }, - {id: "T1044", technique: "File System Permissions Weakness" }, - {id: "T1050", technique: "New Service" }, - {id: "T1053", technique: "Scheduled Task" }, - {id: "T1058", technique: "Service Registry Permissions Weakness" }, - {id: "T1060", technique: "Registry Run Keys / Startup Folder" }, - {id: "T1062", technique: "Hypervisor" }, - {id: "T1067", technique: "Bootkit" }, - {id: "T1078", technique: "Valid Accounts" }, - {id: "T1084", technique: "Windows Management Instrumentation Event Subscription" }, - {id: "T1098", technique: "Account Manipulation" }, - {id: "T1100", technique: "Web Shell" }, - {id: "T1101", technique: "Security Support Provider" }, - {id: "T1103", technique: "AppInit DLLs" }, - {id: "T1108", technique: "Redundant Access" }, - {id: "T1109", technique: "Component Firmware" }, - {id: "T1122", technique: "Component Object Model Hijacking" }, - {id: "T1128", technique: "Netsh Helper DLL" }, - {id: "T1131", technique: "Authentication Package" }, - {id: "T1133", technique: "External Remote Services" }, - {id: "T1136", technique: "Create Account" }, - {id: "T1137", technique: "Office Application Startup" }, - {id: "T1138", technique: "Application Shimming" }, - {id: "T1150", technique: "Plist Modification" }, - {id: "T1152", technique: "Launchctl" }, - {id: "T1154", technique: "Trap" }, - {id: "T1156", technique: "bash_profile and .bashrc" }, - {id: "T1157", technique: "Dylib Hijacking" }, - {id: "T1158", technique: "Hidden Files and Directories" }, - {id: "T1159", technique: "Launch Agent" }, - {id: "T1160", technique: "Launch Daemon" }, - {id: "T1161", technique: "LC_LOAD_DYLIB Addition" }, - {id: "T1162", technique: "Login Item" }, - {id: "T1163", technique: "Rc.common" }, - {id: "T1164", technique: "Re-opened Applications" }, - {id: "T1165", technique: "Startup Items" }, - {id: "T1166", technique: "Setuid and Setgid" }, - {id: "T1168", technique: "Local Job Scheduling" }, - {id: "T1176", technique: "Browser Extensions" }, - {id: "T1177", technique: "LSASS Driver" }, - {id: "T1179", technique: "Hooking" }, - {id: "T1180", technique: "Screensaver" }, - {id: "T1182", technique: "AppCert DLLs" }, - {id: "T1183", technique: "Image File Execution Options Injection" }, - {id: "T1197", technique: "BITS Jobs" }, - {id: "T1198", technique: "SIP and Trust Provider Hijacking" }, - {id: "T1205", technique: "Port Knocking" }, - {id: "T1209", technique: "Time Providers" }, - {id: "T1215", technique: "Kernel Modules and Extensions" }, - {id: "T1501", technique: "Systemd Service" }, - {id: "T1504", technique: "PowerShell Profile" }, - {id: "T1505", technique: "Server Software Component" }, - {id: "T1519", technique: "Emond" }, - {id: "T1525", technique: "Implant Container Image" }, - ] - }, - { - "tactic": "Collection", - "rule": [ - {id: "T1005", technique: "Data from Local System" }, - {id: "T1025", technique: "Data from Removable Media" }, - {id: "T1039", technique: "Data from Network Shared Drive" }, - {id: "T1056", technique: "Input Capture" }, - {id: "T1074", technique: "Data Staged" }, - {id: "T1113", technique: "Screen Capture" }, - {id: "T1114", technique: "Email Collection" }, - {id: "T1115", technique: "Clipboard Data" }, - {id: "T1119", technique: "Automated Collection" }, - {id: "T1123", technique: "Audio Capture" }, - {id: "T1125", technique: "Video Capture" }, - {id: "T1185", technique: "Man in the Browser" }, - {id: "T1213", technique: "Data from Information Repositories" }, - {id: "T1530", technique: "Data from Cloud Storage Object" }, - ] - }, - { - "tactic": "Defense Evasion", - "rule": [ - {id: "T1006", technique: "File System Logical Offsets" }, - {id: "T1009", technique: "Binary Padding" }, - {id: "T1014", technique: "Rootkit" }, - {id: "T1027", technique: "Obfuscated Files or Information" }, - {id: "T1036", technique: "Masquerading" }, - {id: "T1038", technique: "DLL Search Order Hijacking" }, - {id: "T1045", technique: "Software Packing" }, - {id: "T1054", technique: "Indicator Blocking" }, - {id: "T1055", technique: "Process Injection" }, - {id: "T1064", technique: "Scripting" }, - {id: "T1066", technique: "Indicator Removal from Tools" }, - {id: "T1070", technique: "Indicator Removal on Host" }, - {id: "T1073", technique: "DLL Side-Loading" }, - {id: "T1078", technique: "Valid Accounts" }, - {id: "T1085", technique: "Rundll32" }, - {id: "T1088", technique: "Bypass User Account Control" }, - {id: "T1089", technique: "Disabling Security Tools" }, - {id: "T1090", technique: "Connection Proxy" }, - {id: "T1093", technique: "Process Hollowing" }, - {id: "T1096", technique: "NTFS File Attributes" }, - {id: "T1099", technique: "Timestomp" }, - {id: "T1102", technique: "Web Service" }, - {id: "T1107", technique: "File Deletion" }, - {id: "T1108", technique: "Redundant Access" }, - {id: "T1109", technique: "Component Firmware" }, - {id: "T1112", technique: "Modify Registry" }, - {id: "T1116", technique: "Code Signing" }, - {id: "T1117", technique: "Regsvr32" }, - {id: "T1118", technique: "InstallUtil" }, - {id: "T1121", technique: "Regsvcs/Regasm" }, - {id: "T1122", technique: "Component Object Model Hijacking" }, - {id: "T1126", technique: "Network Share Connection Removal" }, - {id: "T1127", technique: "Trusted Developer Utilities" }, - {id: "T1130", technique: "Install Root Certificate" }, - {id: "T1134", technique: "Access Token Manipulation" }, - {id: "T1140", technique: "Deobfuscate/Decode Files or Information" }, - {id: "T1143", technique: "Hidden Window" }, - {id: "T1144", technique: "Gatekeeper Bypass" }, - {id: "T1146", technique: "Clear Command History" }, - {id: "T1147", technique: "Hidden Users" }, - {id: "T1148", technique: "HISTCONTROL" }, - {id: "T1149", technique: "LC_MAIN Hijacking" }, - {id: "T1150", technique: "Plist Modification" }, - {id: "T1151", technique: "Space after Filename" }, - {id: "T1152", technique: "Launchctl" }, - {id: "T1158", technique: "Hidden Files and Directories" }, - {id: "T1170", technique: "Mshta" }, - {id: "T1181", technique: "Extra Window Memory Injection" }, - {id: "T1183", technique: "Image File Execution Options Injection" }, - {id: "T1186", technique: "Process Doppelgänging" }, - {id: "T1191", technique: "CMSTP" }, - {id: "T1196", technique: "Control Panel Items" }, - {id: "T1197", technique: "BITS Jobs" }, - {id: "T1198", technique: "SIP and Trust Provider Hijacking" }, - {id: "T1202", technique: "Indirect Command Execution" }, - {id: "T1205", technique: "Port Knocking" }, - {id: "T1207", technique: "DCShadow" }, - {id: "T1211", technique: "Exploitation for Defense Evasion" }, - {id: "T1216", technique: "Signed Script Proxy Execution" }, - {id: "T1218", technique: "Signed Binary Proxy Execution" }, - {id: "T1220", technique: "XSL Script Processing" }, - {id: "T1221", technique: "Template Injection" }, - {id: "T1222", technique: "File and Directory Permissions Modification" }, - {id: "T1223", technique: "Compiled HTML File" }, - {id: "T1480", technique: "Execution Guardrails" }, - {id: "T1484", technique: "Group Policy Modification" }, - {id: "T1497", technique: "Virtualization/Sandbox Evasion" }, - {id: "T1500", technique: "Compile After Delivery" }, - {id: "T1502", technique: "Parent PID Spoofing" }, - {id: "T1506", technique: "Web Session Cookie" }, - {id: "T1527", technique: "Application Access Token" }, - {id: "T1535", technique: "Unused/Unsupported Cloud Regions" }, - {id: "T1536", technique: "Revert Cloud Instance" }, - ] - }, - { - "tactic": "Discovery", - "rule": [ - {id: "T1007", technique: "System Service Discovery" }, - {id: "T1010", technique: "Application Window Discovery" }, - {id: "T1012", technique: "Query Registry" }, - {id: "T1016", technique: "System Network Configuration Discovery" }, - {id: "T1018", technique: "Remote System Discovery" }, - {id: "T1033", technique: "System Owner/User Discovery" }, - {id: "T1040", technique: "Network Sniffing" }, - {id: "T1046", technique: "Network Service Scanning" }, - {id: "T1049", technique: "System Network Connections Discovery" }, - {id: "T1057", technique: "Process Discovery" }, - {id: "T1063", technique: "Security Software Discovery" }, - {id: "T1069", technique: "Permission Groups Discovery" }, - {id: "T1082", technique: "System Information Discovery" }, - {id: "T1083", technique: "File and Directory Discovery" }, - {id: "T1087", technique: "Account Discovery" }, - {id: "T1120", technique: "Peripheral Device Discovery" }, - {id: "T1124", technique: "System Time Discovery" }, - {id: "T1135", technique: "Network Share Discovery" }, - {id: "T1201", technique: "Password Policy Discovery" }, - {id: "T1217", technique: "Browser Bookmark Discovery" }, - {id: "T1482", technique: "Domain Trust Discovery" }, - {id: "T1497", technique: "Virtualization/Sandbox Evasion" }, - {id: "T1518", technique: "Software Discovery" }, - {id: "T1526", technique: "Cloud Service Discovery" }, - {id: "T1538", technique: "Cloud Service Dashboard" }, - ] - }, - { - "tactic": "Privilege Escalation", - "rule": [ - {id: "T1013", technique: "Port Monitors" }, - {id: "T1015", technique: "Accessibility Features" }, - {id: "T1034", technique: "Path Interception" }, - {id: "T1038", technique: "DLL Search Order Hijacking" }, - {id: "T1044", technique: "File System Permissions Weakness" }, - {id: "T1050", technique: "New Service" }, - {id: "T1053", technique: "Scheduled Task" }, - {id: "T1055", technique: "Process Injection" }, - {id: "T1058", technique: "Service Registry Permissions Weakness" }, - {id: "T1068", technique: "Exploitation for Privilege Escalation" }, - {id: "T1078", technique: "Valid Accounts" }, - {id: "T1088", technique: "Bypass User Account Control" }, - {id: "T1100", technique: "Web Shell" }, - {id: "T1103", technique: "AppInit DLLs" }, - {id: "T1134", technique: "Access Token Manipulation" }, - {id: "T1138", technique: "Application Shimming" }, - {id: "T1150", technique: "Plist Modification" }, - {id: "T1157", technique: "Dylib Hijacking" }, - {id: "T1160", technique: "Launch Daemon" }, - {id: "T1165", technique: "Startup Items" }, - {id: "T1166", technique: "Setuid and Setgid" }, - {id: "T1169", technique: "Sudo" }, - {id: "T1178", technique: "SID-History Injection" }, - {id: "T1179", technique: "Hooking" }, - {id: "T1181", technique: "Extra Window Memory Injection" }, - {id: "T1182", technique: "AppCert DLLs" }, - {id: "T1183", technique: "Image File Execution Options Injection" }, - {id: "T1206", technique: "Sudo Caching" }, - {id: "T1502", technique: "Parent PID Spoofing" }, - {id: "T1504", technique: "PowerShell Profile" }, - {id: "T1514", technique: "Elevated Execution with Prompt" }, - {id: "T1519", technique: "Emond" }, - ] - }, - { - "tactic": "Lateral Movement", - "rule": [ - {id: "T1017", technique: "Application Deployment Software" }, - {id: "T1021", technique: "Remote Services" }, - {id: "T1028", technique: "Windows Remote Management" }, - {id: "T1037", technique: "Logon Scripts" }, - {id: "T1051", technique: "Shared Webroot" }, - {id: "T1072", technique: "Third-party Software" }, - {id: "T1075", technique: "Pass the Hash" }, - {id: "T1076", technique: "Remote Desktop Protocol" }, - {id: "T1077", technique: "Windows Admin Shares" }, - {id: "T1080", technique: "Taint Shared Content" }, - {id: "T1091", technique: "Replication Through Removable Media" }, - {id: "T1097", technique: "Pass the Ticket" }, - {id: "T1105", technique: "Remote File Copy" }, - {id: "T1155", technique: "AppleScript" }, - {id: "T1175", technique: "Component Object Model and Distributed COM" }, - {id: "T1184", technique: "SSH Hijacking" }, - {id: "T1210", technique: "Exploitation of Remote Services" }, - {id: "T1506", technique: "Web Session Cookie" }, - {id: "T1527", technique: "Application Access Token" }, - {id: "T1534", technique: "Internal Spearphishing" }, - ] - }, - { - "tactic": "Execution", - "rule": [ - {id: "T1028", technique: "Windows Remote Management" }, - {id: "T1035", technique: "Service Execution" }, - {id: "T1047", technique: "Windows Management Instrumentation" }, - {id: "T1053", technique: "Scheduled Task" }, - {id: "T1059", technique: "Command-Line Interface" }, - {id: "T1061", technique: "Graphical User Interface" }, - {id: "T1064", technique: "Scripting" }, - {id: "T1072", technique: "Third-party Software" }, - {id: "T1085", technique: "Rundll32" }, - {id: "T1086", technique: "PowerShell" }, - {id: "T1106", technique: "Execution through API" }, - {id: "T1117", technique: "Regsvr32" }, - {id: "T1118", technique: "InstallUtil" }, - {id: "T1121", technique: "Regsvcs/Regasm" }, - {id: "T1127", technique: "Trusted Developer Utilities" }, - {id: "T1129", technique: "Execution through Module Load" }, - {id: "T1151", technique: "Space after Filename" }, - {id: "T1152", technique: "Launchctl" }, - {id: "T1153", technique: "Source" }, - {id: "T1154", technique: "Trap" }, - {id: "T1155", technique: "AppleScript" }, - {id: "T1168", technique: "Local Job Scheduling" }, - {id: "T1170", technique: "Mshta" }, - {id: "T1173", technique: "Dynamic Data Exchange" }, - {id: "T1175", technique: "Component Object Model and Distributed COM" }, - {id: "T1177", technique: "LSASS Driver" }, - {id: "T1191", technique: "CMSTP" }, - {id: "T1196", technique: "Control Panel Items" }, - {id: "T1203", technique: "Exploitation for Client Execution" }, - {id: "T1204", technique: "User Execution" }, - {id: "T1216", technique: "Signed Script Proxy Execution" }, - {id: "T1218", technique: "Signed Binary Proxy Execution" }, - {id: "T1220", technique: "XSL Script Processing" }, - {id: "T1223", technique: "Compiled HTML File" }, - ] - }, - { - "tactic": "Initial Access", - "rule": [ - {id: "T1078", technique: "Valid Accounts" }, - {id: "T1091", technique: "Replication Through Removable Media" }, - {id: "T1133", technique: "External Remote Services" }, - {id: "T1189", technique: "Drive-by Compromise" }, - {id: "T1190", technique: "Exploit Public-Facing Application" }, - {id: "T1192", technique: "Spearphishing Link" }, - {id: "T1193", technique: "Spearphishing Attachment" }, - {id: "T1194", technique: "Spearphishing via Service" }, - {id: "T1195", technique: "Supply Chain Compromise" }, - {id: "T1199", technique: "Trusted Relationship" }, - {id: "T1200", technique: "Hardware Additions" }, - ] - }, - { - "tactic": "Impact", - "rule": [ - {id: "T1485", technique: "Data Destruction" }, - {id: "T1486", technique: "Data Encrypted for Impact" }, - {id: "T1487", technique: "Disk Structure Wipe" }, - {id: "T1488", technique: "Disk Content Wipe" }, - {id: "T1489", technique: "Service Stop" }, - {id: "T1490", technique: "Inhibit System Recovery" }, - {id: "T1491", technique: "Defacement" }, - {id: "T1492", technique: "Stored Data Manipulation" }, - {id: "T1493", technique: "Transmitted Data Manipulation" }, - {id: "T1494", technique: "Runtime Data Manipulation" }, - {id: "T1495", technique: "Firmware Corruption" }, - {id: "T1496", technique: "Resource Hijacking" }, - {id: "T1498", technique: "Network Denial of Service" }, - {id: "T1499", technique: "Endpoint Denial of Service" }, - {id: "T1529", technique: "System Shutdown/Reboot" }, - {id: "T1531", technique: "Account Access Removal" }, - ] - } -] +export const arrayMitreRules = [ + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 504, + level: 3, + status: 'enabled', + details: { if_sid: '500', match: 'Agent disconnected' }, + pci_dss: ['10.6.1', '10.2.6'], + gpg13: ['10.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'AU.14', 'AU.5'], + tsc: ['CC7.2', 'CC7.3', 'CC6.8'], + mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + groups: ['ossec'], + description: 'Ossec agent disconnected.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 505, + level: 3, + status: 'enabled', + details: { if_sid: '500', match: 'Agent removed' }, + pci_dss: ['10.6.1', '10.2.6'], + gpg13: ['10.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'AU.14', 'AU.5'], + tsc: ['CC7.2', 'CC7.3', 'CC6.8'], + mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + groups: ['ossec'], + description: 'Ossec agent removed.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 518, + level: 9, + status: 'enabled', + details: { if_sid: '514', match: 'Adware|Spyware' }, + gpg13: ['4.2'], + gdpr: ['IV_35.7.d'], + mitre: { + tactic: ['Lateral Movement'], + id: ['T1017'], + technique: ['Application Deployment Software'], + }, + groups: ['rootcheck', 'ossec'], + description: 'Windows Adware/Spyware application found.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 550, + level: 7, + status: 'enabled', + details: { category: 'ossec', decoded_as: 'syscheck_integrity_changed' }, + pci_dss: ['11.5'], + gpg13: ['4.11'], + gdpr: ['II_5.1.f'], + hipaa: ['164.312.c.1', '164.312.c.2'], + nist_800_53: ['SI.7'], + tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, + groups: ['syscheck', 'ossec'], + description: 'Integrity checksum changed.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 553, + level: 7, + status: 'enabled', + details: { category: 'ossec', decoded_as: 'syscheck_deleted' }, + pci_dss: ['11.5'], + gpg13: ['4.11'], + gdpr: ['II_5.1.f'], + hipaa: ['164.312.c.1', '164.312.c.2'], + nist_800_53: ['SI.7'], + tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Defense Evasion', 'Impact'], + id: ['T1107', 'T1485'], + technique: ['File Deletion', 'Data Destruction'], + }, + groups: ['syscheck', 'ossec'], + description: 'File deleted.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 592, + level: 8, + status: 'enabled', + details: { if_sid: '500', match: '^ossec: File size reduced' }, + pci_dss: ['10.5.2', '11.4'], + gpg13: ['10.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.9', 'SI.4'], + tsc: ['CC6.1', 'CC7.2', 'CC7.3', 'CC6.8'], + mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, + groups: ['attacks', 'ossec'], + description: 'Log file size reduced.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 593, + level: 9, + status: 'enabled', + details: { if_sid: '500', match: '^ossec: Event log cleared' }, + pci_dss: ['10.5.2'], + gpg13: ['10.1'], + gdpr: ['II_5.1.f', 'IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.9'], + tsc: ['CC6.1', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Defense Evasion'], id: ['T1070'], technique: ['Indicator Removal on Host'] }, + groups: ['logs_cleared', 'ossec'], + description: 'Microsoft Event log cleared.', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 594, + level: 5, + status: 'enabled', + details: { category: 'ossec', if_sid: '550', hostname: 'syscheck-registry' }, + pci_dss: ['11.5'], + gpg13: ['4.13'], + gdpr: ['II_5.1.f'], + hipaa: ['164.312.c.1', '164.312.c.2'], + nist_800_53: ['SI.7'], + tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1492'], technique: ['Stored Data Manipulation'] }, + groups: ['syscheck', 'ossec'], + description: 'Registry Integrity Checksum Changed', + }, + { + filename: '0015-ossec_rules.xml', + relative_dirname: 'ruleset/rules', + id: 597, + level: 5, + status: 'enabled', + details: { category: 'ossec', if_sid: '553', hostname: 'syscheck-registry' }, + pci_dss: ['11.5'], + gpg13: ['4.13'], + gdpr: ['II_5.1.f'], + hipaa: ['164.312.c.1', '164.312.c.2'], + nist_800_53: ['SI.7'], + tsc: ['PI1.4', 'PI1.5', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Defense Evasion', 'Impact'], + id: ['T1107', 'T1485'], + technique: ['File Deletion', 'Data Destruction'], + }, + groups: ['syscheck', 'ossec'], + description: 'Registry Entry Deleted.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 1003, + level: 13, + status: 'enabled', + details: { maxsize: '1025', noalert: '1' }, + gpg13: ['4.3'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['syslog', 'errors'], + description: 'Non standard syslog message (size too large).', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2301, + level: 10, + status: 'enabled', + details: { match: '^Deactivating service ' }, + pci_dss: ['10.6.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['syslog', 'xinetd'], + description: 'xinetd: Excessive number connections to a service.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2502, + level: 10, + status: 'enabled', + details: { match: 'more authentication failures;|REPEATED login failures' }, + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['authentication_failed', 'syslog', 'access_control'], + description: 'syslog: User missed the password more than one time', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2503, + level: 5, + status: 'enabled', + details: { + regex: [ + '^refused connect from|', + '^libwrap refused connection|', + 'Connection from S+ denied', + ], + }, + pci_dss: ['10.2.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Command and Control'], + id: ['T1095'], + technique: ['Standard Non-Application Layer Protocol'], + }, + groups: ['access_denied', 'syslog', 'access_control'], + description: 'syslog: Connection blocked by Tcp Wrappers.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2504, + level: 9, + status: 'enabled', + details: { match: 'ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED' }, + pci_dss: ['10.2.4', '10.2.5', '10.2.2'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'AC.6'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['invalid_login', 'syslog', 'access_control'], + description: 'syslog: Illegal root login.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2551, + level: 10, + status: 'enabled', + details: { if_sid: '2550', regex: '^Connection from S+ on illegal port$' }, + pci_dss: ['10.6.1'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Discovery'], id: ['T1046'], technique: ['Network Service Scanning'] }, + groups: ['connection_attempt', 'syslog', 'access_control'], + description: 'Connection to rshd from unprivileged port. Possible network scan.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2833, + level: 8, + status: 'enabled', + details: { if_sid: '2832', match: '^(root)' }, + pci_dss: ['10.2.7', '10.6.1', '10.2.2'], + gpg13: ['4.13'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AU.6', 'AC.6'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'cron'], + description: "Root's crontab entry changed.", + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2960, + level: 2, + status: 'enabled', + details: { decoded_as: 'gpasswd', match: 'added by' }, + gpg13: ['7.9', '4.13'], + gdpr: ['IV_32.2'], + mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] }, + groups: ['syslog', 'yum'], + description: 'User added to group.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2961, + level: 5, + status: 'enabled', + details: { if_sid: '2960', group: 'sudo' }, + gpg13: ['7.9', '4.13'], + gdpr: ['IV_32.2'], + mitre: { tactic: ['Persistence'], id: ['T1136'], technique: ['Create Account'] }, + groups: ['syslog', 'yum'], + description: 'User added to group sudo.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 2964, + level: 10, + status: 'enabled', + details: { frequency: '4', timeframe: '30', if_matched_sid: '2963', same_source_ip: '' }, + pci_dss: ['11.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['recon', 'syslog', 'perdition'], + description: 'perdition: Multiple connection attempts from same source.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3102, + level: 5, + status: 'enabled', + details: { if_sid: '3101', match: 'reject=451 4.1.8 ' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'sendmail'], + description: + 'sendmail: Sender domain does not have any valid MX record (Requested action aborted).', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3103, + level: 6, + status: 'enabled', + details: { if_sid: '3101', match: 'reject=550 5.0.0 |reject=553 5.3.0' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'sendmail'], + description: 'sendmail: Rejected by access list (55x: Requested action not taken).', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3104, + level: 6, + status: 'enabled', + details: { if_sid: '3101', match: 'reject=550 5.7.1 ' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'sendmail'], + description: 'sendmail: Attempt to use mail server as relay (550: Requested action not taken).', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3105, + level: 5, + status: 'enabled', + details: { if_sid: '3101', match: 'reject=553 5.1.8 ' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'sendmail'], + description: 'sendmail: Sender domain is not found (553: Requested action not taken).', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3106, + level: 5, + status: 'enabled', + details: { if_sid: '3101', match: 'reject=553 5.5.4 ' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'sendmail'], + description: 'sendmail: Sender address does not have domain (553: Requested action not taken).', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3108, + level: 6, + status: 'enabled', + details: { if_sid: '3100', match: 'rejecting commands from' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'sendmail'], + description: 'sendmail: Sendmail rejected due to pre-greeting.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3151, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '120', if_matched_sid: '3102', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: 'sendmail: Sender domain has bogus MX record. It should not be sending e-mail.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3152, + level: 6, + status: 'enabled', + details: { frequency: '8', timeframe: '120', if_matched_sid: '3103', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: + 'sendmail: Multiple attempts to send e-mail from a previously rejected sender (access).', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3153, + level: 6, + status: 'enabled', + details: { frequency: '8', timeframe: '120', if_matched_sid: '3104', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: 'sendmail: Multiple relaying attempts of spam.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3154, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '120', if_matched_sid: '3105', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3155, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '120', if_matched_sid: '3106', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: 'sendmail: Multiple attempts to send e-mail from invalid/unknown sender.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3156, + level: 10, + status: 'enabled', + details: { frequency: '12', timeframe: '120', if_matched_sid: '3107', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: 'sendmail: Multiple rejected e-mails from same source ip.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3158, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '120', if_matched_sid: '3108', same_source_ip: '' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'sendmail'], + description: 'sendmail: Multiple pre-greetings rejects.', + }, + { + filename: '0025-sendmail_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3191, + level: 6, + status: 'enabled', + details: { if_sid: '3190', match: '^sender check failed|^sender check tempfailed' }, + pci_dss: ['11.4'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['smf-sav', 'spam', 'syslog', 'sendmail'], + description: 'sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3301, + level: 6, + status: 'enabled', + details: { if_sid: '3300', id: '^554$' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: Attempt to use mail server as relay (client host rejected).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3302, + level: 6, + status: 'enabled', + details: { if_sid: '3300', id: '^550$' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: Rejected by access list (Requested action not taken).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3303, + level: 5, + status: 'enabled', + details: { if_sid: '3300', id: '^450$' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: Sender domain is not found (450: Requested mail action not taken).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3304, + level: 5, + status: 'enabled', + details: { if_sid: '3300', id: '^503$' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: + 'Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3305, + level: 5, + status: 'enabled', + details: { if_sid: '3300', id: '^504$' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: + 'Postfix: Recipient address must contain FQDN (504: Command parameter not implemented).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3306, + level: 6, + status: 'enabled', + details: { if_sid: '3301, 3302', match: ' blocked using ' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: IP Address black-listed by anti-spam (blocked).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3330, + level: 10, + status: 'enabled', + details: { + ignore: '240', + if_sid: '3320', + match: [ + 'defer service failure|Resource temporarily unavailable|', + '^fatal: the Postfix mail system is not running', + ], + }, + pci_dss: ['10.6.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['service_availability', 'syslog', 'postfix'], + description: 'Postfix process error.', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3335, + level: 6, + status: 'enabled', + details: { if_sid: '3320', match: '^too many ' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: too many errors after RCPT from unknown', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3351, + level: 6, + status: 'enabled', + details: { + frequency: '$POSTFIX_FREQ', + timeframe: '90', + if_matched_sid: '3301', + same_source_ip: '', + }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'postfix'], + description: 'Postfix: Multiple relaying attempts of spam.', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3352, + level: 6, + status: 'enabled', + details: { + frequency: '$POSTFIX_FREQ', + timeframe: '120', + if_matched_sid: '3302', + same_source_ip: '', + }, + pci_dss: ['10.6.1', '11.4'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'postfix'], + description: 'Postfix: Multiple attempts to send e-mail from a rejected sender IP (access).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3353, + level: 10, + status: 'enabled', + details: { + frequency: '$POSTFIX_FREQ', + timeframe: '120', + if_matched_sid: '3303', + same_source_ip: '', + }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'postfix'], + description: 'Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain.', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3354, + level: 12, + status: 'enabled', + details: { + frequency: '$POSTFIX_FREQ', + timeframe: '120', + if_matched_sid: '3304', + same_source_ip: '', + }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['multiple_spam', 'syslog', 'postfix'], + description: 'Postfix: Multiple misuse of SMTP service (bad sequence of commands).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3355, + level: 10, + status: 'enabled', + details: { + frequency: '$POSTFIX_FREQ', + timeframe: '120', + if_matched_sid: '3305', + same_source_ip: '', + }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'syslog', 'postfix'], + description: + 'Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain.', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3356, + level: 10, + status: 'enabled', + details: { + frequency: '$POSTFIX_FREQ', + timeframe: '120', + ignore: '30', + if_matched_sid: '3306', + same_source_ip: '', + }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['multiple_spam', 'syslog', 'postfix'], + description: + 'Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked).', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3357, + level: 10, + status: 'enabled', + details: { + frequency: '8', + timeframe: '120', + ignore: '60', + if_matched_sid: '3332', + same_source_ip: '', + }, + pci_dss: ['10.2.4', '10.2.5', '11.4'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['authentication_failures', 'syslog', 'postfix'], + description: 'Postfix: Multiple SASL authentication failures.', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3396, + level: 6, + status: 'enabled', + details: { if_sid: '3395', match: 'verification' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: hostname verification failed', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3397, + level: 6, + status: 'enabled', + details: { if_sid: '3395', match: 'RBL' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: RBL lookup error: Host or domain name not found', + }, + { + filename: '0030-postfix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3398, + level: 6, + status: 'enabled', + details: { if_sid: '3395', match: 'MAIL|does not resolve to address' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Collection'], id: ['T1114'], technique: ['Email Collection'] }, + groups: ['spam', 'syslog', 'postfix'], + description: 'Postfix: Illegal address from unknown sender', + }, + { + filename: '0040-imapd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3602, + level: 3, + status: 'enabled', + details: { if_sid: '3600', match: 'Authenticated user=' }, + pci_dss: ['10.2.5'], + gpg13: ['7.1'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'imapd'], + description: 'Imapd user login.', + }, + { + filename: '0040-imapd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3651, + level: 10, + status: 'enabled', + details: { + frequency: '$IMAPD_FREQ', + timeframe: '120', + if_matched_sid: '3601', + same_source_ip: '', + }, + pci_dss: ['10.2.4', '10.2.5', '11.4'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['authentication_failures', 'syslog', 'imapd'], + description: 'Imapd Multiple failed logins from same source ip.', + }, + { + filename: '0045-mailscanner_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3751, + level: 6, + status: 'enabled', + details: { frequency: '8', timeframe: '180', if_matched_sid: '3702', same_source_ip: '' }, + pci_dss: ['10.6.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { + tactic: ['Credential Access', 'Collection'], + id: ['T1110', 'T1114'], + technique: ['Brute Force', 'Email Collection'], + }, + groups: ['multiple_spam', 'syslog', 'mailscanner'], + description: 'mailscanner: Multiple attempts of spam.', + }, + { + filename: '0050-ms-exchange_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3851, + level: 9, + status: 'enabled', + details: { + frequency: '12', + timeframe: '120', + ignore: '120', + if_matched_sid: '3801', + same_source_ip: '', + }, + pci_dss: ['10.6.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'ms', 'exchange'], + description: 'ms-exchange: Multiple e-mail attempts to an invalid account.', + }, + { + filename: '0050-ms-exchange_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3852, + level: 9, + status: 'enabled', + details: { + frequency: '14', + timeframe: '120', + ignore: '240', + if_matched_sid: '3802', + same_source_ip: '', + }, + pci_dss: ['10.6.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { + tactic: ['Collection', 'Impact'], + id: ['T1114', 'T1499'], + technique: ['Email Collection', 'Endpoint Denial of Service'], + }, + groups: ['multiple_spam', 'ms', 'exchange'], + description: 'ms-exchange: Multiple e-mail 500 error code (spam).', + }, + { + filename: '0055-courier_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3904, + level: 3, + status: 'enabled', + details: { if_sid: '3900', match: '^LOGIN,' }, + pci_dss: ['10.2.5'], + gpg13: ['7.1', '7.2'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'courier'], + description: 'Courier (imap/pop3) authentication success.', + }, + { + filename: '0055-courier_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3910, + level: 10, + status: 'enabled', + details: { frequency: '12', timeframe: '30', if_matched_sid: '3902', same_source_ip: '' }, + pci_dss: ['10.2.4', '10.2.5', '11.4'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['authentication_failures', 'syslog', 'courier'], + description: 'Courier brute force (multiple failed logins).', + }, + { + filename: '0055-courier_rules.xml', + relative_dirname: 'ruleset/rules', + id: 3911, + level: 10, + status: 'enabled', + details: { frequency: '17', timeframe: '30', if_matched_sid: '3901', same_source_ip: '' }, + pci_dss: ['10.6.1', '11.4'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['recon', 'syslog', 'courier'], + description: 'Courier: Multiple connection attempts from same source.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4323, + level: 3, + status: 'enabled', + details: { if_sid: '4314', id: '^6-605005' }, + pci_dss: ['10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'pix'], + description: 'PIX: Successful login.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4325, + level: 8, + status: 'enabled', + details: { if_sid: '4313', id: '^4-405001' }, + pci_dss: ['10.6.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { + tactic: ['Command and Control'], + id: ['T1095'], + technique: ['Standard Non-Application Layer Protocol'], + }, + groups: ['syslog', 'pix'], + description: 'PIX: ARP collision detected.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4335, + level: 3, + status: 'enabled', + details: { if_sid: '4314', id: '^6-113004' }, + pci_dss: ['10.2.5'], + gpg13: ['7.1', '7.2'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'pix'], + description: 'PIX: AAA (VPN) authentication successful.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4336, + level: 8, + status: 'enabled', + details: { if_sid: '4314', id: '^6-113006' }, + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.1', '7.5'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] }, + groups: ['authentication_failed', 'syslog', 'pix'], + description: 'PIX: AAA (VPN) user locked out.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4337, + level: 8, + status: 'enabled', + details: { if_sid: '4312', id: '^3-201008' }, + pci_dss: ['10.6.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1133'], technique: ['External Remote Services'] }, + groups: ['service_availability', 'syslog', 'pix'], + description: 'PIX: The PIX is disallowing new connections.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4339, + level: 8, + status: 'enabled', + details: { if_sid: '4314', id: '^5-111003' }, + pci_dss: ['1.1.1', '10.4'], + gpg13: ['4.13'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.a.1', '164.312.b'], + nist_800_53: ['CM.3', 'CM.5', 'AU.8'], + tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + groups: ['config_changed', 'syslog', 'pix'], + description: 'PIX: Firewall configuration deleted.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4340, + level: 8, + status: 'enabled', + details: { if_sid: '4314', id: '^5-111005|^5-111004|^5-111002|^5-111007' }, + pci_dss: ['1.1.1', '10.4'], + gpg13: ['4.13'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.a.1', '164.312.b'], + nist_800_53: ['CM.3', 'CM.5', 'AU.8'], + tsc: ['CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + groups: ['config_changed', 'syslog', 'pix'], + description: 'PIX: Firewall configuration changed.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4342, + level: 8, + status: 'enabled', + details: { if_sid: '4314', id: '^5-502101|^5-502102' }, + pci_dss: ['8.1.2', '10.2.5'], + gpg13: ['4.13'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.a.2.I', '164.312.a.2.II', '164.312.b'], + nist_800_53: ['AC.2', 'IA.4', 'AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Defense Evasion', 'Initial Access'], + id: ['T1089', 'T1133'], + technique: ['Disabling Security Tools', 'External Remote Services'], + }, + groups: ['adduser', 'account_changed', 'syslog', 'pix'], + description: 'PIX: User created or modified on the Firewall.', + }, + { + filename: '0065-pix_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4386, + level: 10, + status: 'enabled', + details: { frequency: '10', timeframe: '240', if_matched_sid: '4334', same_source_ip: '' }, + pci_dss: ['11.4', '10.2.4', '10.2.5'], + gpg13: ['7.1'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['SI.4', 'AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Credential Access', 'Initial Access'], + id: ['T1110', 'T1133'], + technique: ['Brute Force', 'External Remote Services'], + }, + groups: ['authentication_failures', 'syslog', 'pix'], + description: 'PIX: Multiple AAA (VPN) authentication failures.', + }, + { + filename: '0070-netscreenfw_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4505, + level: 11, + status: 'enabled', + details: { if_sid: '4503', id: '^00027' }, + pci_dss: ['1.4', '10.6.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.a.1', '164.312.b'], + nist_800_53: ['SC.7', 'AU.6'], + tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1485'], technique: ['Data Destruction'] }, + groups: ['service_availability', 'netscreenfw'], + description: 'Netscreen Erase sequence started.', + }, + { + filename: '0070-netscreenfw_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4506, + level: 8, + status: 'enabled', + details: { if_sid: '4501', id: '^00002' }, + pci_dss: ['10.2.5', '10.2.2'], + gpg13: ['7.8'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'AC.6'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'netscreenfw'], + description: 'Netscreen firewall: Successfull admin login', + }, + { + filename: '0070-netscreenfw_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4507, + level: 8, + status: 'enabled', + details: { if_sid: '4502', id: '^00515' }, + pci_dss: ['10.2.5', '10.2.2'], + gpg13: ['7.8'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'AC.6'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'netscreenfw'], + description: 'Netscreen firewall: Successfull admin login', + }, + { + filename: '0070-netscreenfw_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4509, + level: 8, + status: 'enabled', + details: { if_sid: '4504', id: '^00767' }, + pci_dss: ['1.1.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.a.1'], + nist_800_53: ['CM.3', 'CM.5'], + tsc: ['CC8.1'], + mitre: { tactic: ['Defense Evasion'], id: ['T1089'], technique: ['Disabling Security Tools'] }, + groups: ['config_changed', 'netscreenfw'], + description: 'Netscreen firewall: configuration changed.', + }, + { + filename: '0070-netscreenfw_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4550, + level: 10, + status: 'enabled', + details: { + frequency: '6', + timeframe: '180', + ignore: '60', + if_matched_sid: '4503', + same_source_ip: '', + }, + pci_dss: ['1.4', '10.6.1', '11.4'], + gpg13: ['4.1'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.a.1', '164.312.b'], + nist_800_53: ['SC.7', 'AU.6', 'SI.4'], + tsc: ['CC6.7', 'CC6.8', 'CC7.2', 'CC7.3', 'CC6.1'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['netscreenfw'], + description: 'Netscreen firewall: Multiple critical messages from same source IP.', + }, + { + filename: '0070-netscreenfw_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4551, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '180', ignore: '60', if_matched_sid: '4503' }, + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['netscreenfw'], + description: 'Netscreen firewall: Multiple critical messages.', + }, + { + filename: '0075-cisco-ios_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4722, + level: 3, + status: 'enabled', + details: { if_sid: '4715', id: '^%SEC_LOGIN-5-LOGIN_SUCCESS' }, + pci_dss: ['10.2.5'], + gpg13: ['3.6'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'cisco_ios'], + description: 'Cisco IOS: Successful login to the router.', + }, + { + filename: '0080-sonicwall_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4810, + level: 3, + status: 'enabled', + details: { if_sid: '4806', id: '^236$' }, + pci_dss: ['10.2.5'], + gpg13: ['3.6'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'sonicwall'], + description: 'SonicWall: Firewall administrator login.', + }, + { + filename: '0080-sonicwall_rules.xml', + relative_dirname: 'ruleset/rules', + id: 4851, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '120', ignore: '60', if_matched_sid: '4803' }, + pci_dss: ['10.6.1'], + gpg13: ['3.5'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['service_availability', 'syslog', 'sonicwall'], + description: 'SonicWall: Multiple firewall error messages.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5103, + level: 9, + status: 'enabled', + details: { if_sid: '5100', match: 'Oversized packet received from' }, + gdpr: ['IV_35.7.d'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['syslog', 'linuxkernel'], + description: 'Error message from the kernel. Ping of death attack.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5104, + level: 8, + status: 'enabled', + details: { + if_sid: '5100', + regex: ['Promiscuous mode enabled|', 'device S+ entered promiscuous mode'], + }, + pci_dss: ['10.6.1', '11.4'], + gpg13: ['4.13'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6', 'SI.4'], + tsc: ['CC7.2', 'CC7.3', 'CC6.1', 'CC6.8'], + mitre: { tactic: ['Discovery'], id: ['T1040'], technique: ['Network Sniffing'] }, + groups: ['promisc', 'syslog', 'linuxkernel'], + description: 'Interface entered in promiscuous(sniffing) mode.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5108, + level: 12, + status: 'enabled', + details: { if_sid: '5100', match: 'Out of Memory: ' }, + pci_dss: ['10.6.1'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1499'], technique: ['Endpoint Denial of Service'] }, + groups: ['service_availability', 'syslog', 'linuxkernel'], + description: 'System running out of memory. Availability of the system is in risk.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5113, + level: 7, + status: 'enabled', + details: { if_sid: '5100', match: 'Kernel log daemon terminating' }, + pci_dss: ['10.6.1'], + gpg13: ['4.14'], + gdpr: ['IV_35.7.d'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.6'], + tsc: ['CC7.2', 'CC7.3'], + mitre: { tactic: ['Impact'], id: ['T1529'], technique: ['System Shutdown/Reboot'] }, + groups: ['system_shutdown', 'syslog', 'linuxkernel'], + description: 'System is shutting down.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5132, + level: 11, + status: 'enabled', + details: { if_sid: '5100', match: 'module verification failed' }, + mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] }, + groups: ['syslog', 'linuxkernel'], + description: 'Unsigned kernel module was loaded', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5133, + level: 11, + status: 'enabled', + details: { if_sid: '5100', match: 'PKCS#7 signature not signed with a trusted key' }, + mitre: { tactic: ['Persistence'], id: ['T1215'], technique: ['Kernel Modules and Extensions'] }, + groups: ['syslog', 'linuxkernel'], + description: 'Signed but untrusted kernel module was loaded', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5302, + level: 9, + status: 'enabled', + details: { if_sid: '5301', user: '^root' }, + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3', 'CC7.4'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['authentication_failed', 'syslog', 'su'], + description: 'User missed the password to change UID to root.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5303, + level: 3, + status: 'enabled', + details: { + if_sid: '5300', + regex: [ + "session opened for user root|^'su root'|", + '^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$', + ], + }, + pci_dss: ['10.2.5'], + gpg13: ['7.6', '7.8', '7.9'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'su'], + description: 'User successfully changed UID to root.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5304, + level: 3, + status: 'enabled', + details: { + if_sid: '5300', + regex: ['session opened for user|succeeded for|', '^+|^S+ to |^SU S+ S+ + '], + }, + pci_dss: ['10.2.5'], + gpg13: ['7.6', '7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'syslog', 'su'], + description: 'User successfully changed UID.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5401, + level: 5, + status: 'enabled', + details: { if_sid: '5400', match: 'incorrect password attempt' }, + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'sudo'], + description: 'Failed attempt to run sudo.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5402, + level: 3, + status: 'enabled', + details: { if_sid: '5400', regex: ' ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND=' }, + pci_dss: ['10.2.5', '10.2.2'], + gpg13: ['7.6', '7.8', '7.13'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'AC.6'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'sudo'], + description: 'Successful sudo to ROOT executed.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5403, + level: 4, + status: 'enabled', + details: { if_sid: '5400', if_fts: '' }, + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'sudo'], + description: 'First time user executed sudo.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5404, + level: 10, + status: 'enabled', + details: { if_sid: '5401', match: '3 incorrect password attempts' }, + pci_dss: ['10.2.4', '10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'sudo'], + description: 'Three failed attempts to run sudo', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5405, + level: 5, + status: 'enabled', + details: { if_sid: '5400', match: 'user NOT in sudoers' }, + pci_dss: ['10.2.2', '10.2.5'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.6', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'sudo'], + description: 'Unauthorized user attempted to use sudo.', + }, + { + filename: '0020-syslog_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5407, + level: 3, + status: 'enabled', + details: { if_sid: '5400', regex: ' ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND=' }, + pci_dss: ['10.2.5', '10.2.2'], + gpg13: ['7.6', '7.8', '7.13'], + gdpr: ['IV_32.2'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Privilege Escalation'], id: ['T1169'], technique: ['Sudo'] }, + groups: ['syslog', 'sudo'], + description: 'Successful sudo executed.', + }, + { + filename: '0085-pam_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5501, + level: 3, + status: 'enabled', + details: { if_sid: '5500', match: 'session opened for user ' }, + pci_dss: ['10.2.5'], + gpg13: ['7.8', '7.9'], + gdpr: ['IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7'], + tsc: ['CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Initial Access'], id: ['T1078'], technique: ['Valid Accounts'] }, + groups: ['authentication_success', 'pam', 'syslog'], + description: 'PAM: Login session opened.', + }, + { + filename: '0085-pam_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5551, + level: 10, + status: 'enabled', + details: { frequency: '8', timeframe: '180', if_matched_sid: '5503', same_source_ip: '' }, + pci_dss: ['10.2.4', '10.2.5', '11.4'], + gpg13: ['7.8'], + gdpr: ['IV_35.7.d', 'IV_32.2'], + hipaa: ['164.312.b'], + nist_800_53: ['AU.14', 'AC.7', 'SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['authentication_failures', 'pam', 'syslog'], + description: 'PAM: Multiple failed logins in a small period of time.', + }, + { + filename: '0090-telnetd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5601, + level: 5, + status: 'enabled', + details: { if_sid: '5600', match: 'refused connect from ' }, + gdpr: ['IV_35.7.d'], + mitre: { + tactic: ['Command and Control'], + id: ['T1095'], + technique: ['Standard Non-Application Layer Protocol'], + }, + groups: ['syslog', 'telnetd'], + description: 'telnetd: Connection refused by TCP Wrappers.', + }, + { + filename: '0090-telnetd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5631, + level: 10, + status: 'enabled', + details: { frequency: '6', timeframe: '120', if_matched_sid: '5602', same_source_ip: '' }, + gdpr: ['IV_35.7.d', 'IV_32.2'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['syslog', 'telnetd'], + description: 'telnetd: Multiple connection attempts from same source (possible scan).', + }, + { + filename: '0095-sshd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5701, + level: 8, + status: 'enabled', + details: { if_sid: '5700', match: 'Bad protocol version identification' }, + pci_dss: ['11.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Initial Access'], + id: ['T1190'], + technique: ['Exploit Public-Facing Application'], + }, + groups: ['recon', 'syslog', 'sshd'], + description: 'sshd: Possible attack on the ssh server (or version gathering).', + }, + { + filename: '0095-sshd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5703, + level: 10, + status: 'enabled', + details: { frequency: '6', timeframe: '360', if_matched_sid: '5702', same_source_ip: '' }, + pci_dss: ['11.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Credential Access'], id: ['T1110'], technique: ['Brute Force'] }, + groups: ['syslog', 'sshd'], + description: 'sshd: Possible breakin attempt (high number of reverse lookup errors).', + }, + { + filename: '0095-sshd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5705, + level: 10, + status: 'enabled', + details: { frequency: '6', timeframe: '360', if_matched_sid: '5704' }, + pci_dss: ['11.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { + tactic: ['Initial Access', 'Credential Access'], + id: ['T1190', 'T1110'], + technique: ['Exploit Public-Facing Application', 'Brute Force'], + }, + groups: ['syslog', 'sshd'], + description: 'sshd: Possible scan or breakin attempt (high number of login timeouts).', + }, + { + filename: '0095-sshd_rules.xml', + relative_dirname: 'ruleset/rules', + id: 5706, + level: 6, + status: 'enabled', + details: { if_sid: '5700', match: 'Did not receive identification string from' }, + pci_dss: ['11.4'], + gpg13: ['4.12'], + gdpr: ['IV_35.7.d'], + nist_800_53: ['SI.4'], + tsc: ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3'], + mitre: { tactic: ['Command and Control'], id: ['T1043'], technique: ['Commonly Used Port'] }, + groups: ['recon', 'syslog', 'sshd'], + description: 'sshd: insecure connection attempt (scan).', + }, +]; -export const arrayGroups = ['syslog', 'authentication_failed', 'sshd', 'sysmon-modular', 'access_control']; export const arrayLocation = ['EventChannel', '/var/log/auth.log', '/var/log/secure']; -export const arrayRuleDescription = ['sshd: authentication failed.', 'syslog: User missed the password more than one time', 'Multiple Windows Logon Failures', 'sshd: Multiple authentication failures.', 'PAM: User login failed', 'syslog: User missed the password more than one time'];