Permalink
Browse files

Update composite rules (#161)

  • Loading branch information...
SitoRBJ authored and jesuslinares committed Nov 6, 2018
1 parent 9a1a848 commit 88664beb45ecb30194294f53fa71e539909d1ee7
View
@@ -194,25 +194,29 @@
<rule id="4380" level="10" frequency="8" timeframe="360">
<if_matched_sid>4310</if_matched_sid>
<description>Multiple PIX alert messages.</description>
<same_id />
<group>pci_dss_10.6.1,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4381" level="10" frequency="8" timeframe="360">
<if_matched_sid>4311</if_matched_sid>
<description>PIX: Multiple critical messages.</description>
<group>pci_dss_10.6.1,pci_dss_11.4,gpg13_4.1,gdpr_IV_35.7.d,</group>
<same_id />
</rule>
<rule id="4382" level="10" frequency="10" timeframe="120">
<if_matched_sid>4312</if_matched_sid>
<description>PIX: Multiple error messages.</description>
<group>system_error,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.3,gdpr_IV_35.7.d,</group>
<same_id />
</rule>
<rule id="4383" level="10" frequency="10" timeframe="120">
<if_matched_sid>4313</if_matched_sid>
<description>PIX: Multiple warning messages.</description>
<group>pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
<same_id />
</rule>
<rule id="4385" level="10" frequency="10" timeframe="240" ignore="90">
@@ -226,5 +230,6 @@
<if_matched_sid>4334</if_matched_sid>
<description>PIX: Multiple AAA (VPN) authentication failures.</description>
<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
<same_id />
</rule>
</group>
@@ -9,7 +9,7 @@
<group name="syslog,telnetd,">
<rule id="5600" level="0" noalert="1">
<match>telnetd</match>
<decoded_as>telnetd</decoded_as>
<description>Grouping for the telnetd rules</description>
</rule>
@@ -22,13 +22,14 @@
<rule id="5602" level="3">
<if_sid>5600</if_sid>
<match>: connect from </match>
<match>connect from </match>
<description>telnetd: Remote host established a telnet connection.</description>
<group>gdpr_IV_32.2,</group>
</rule>
<rule id="5603" level="5" timeframe="1">
<match>ttloop: peer died:|ttloop: read:</match>
<if_sid>5600</if_sid>
<if_matched_sid>5602</if_matched_sid>
<description>telnetd: Remote host invalid connection.</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
@@ -40,12 +41,12 @@
<group>gdpr_IV_35.7.d,</group>
</rule>
<rule id="5631" level="10" frequency="8" timeframe="120">
<rule id="5631" level="10" frequency="6" timeframe="120">
<if_matched_sid>5602</if_matched_sid>
<same_source_ip />
<description>telnetd: Multiple connection attempts from same source </description>
<description>(possible scan).</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
</group>
</group>
@@ -30,6 +30,7 @@
<rule id="5703" level="10" frequency="6" timeframe="360">
<if_matched_sid>5702</if_matched_sid>
<same_source_ip />
<description>sshd: Possible breakin attempt </description>
<description>(high number of reverse lookup errors).</description>
<group>pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
@@ -49,6 +49,7 @@
<rule id="11306" level="10" frequency="8" timeframe="120">
<if_matched_sid>11302</if_matched_sid>
<same_source_ip />
<description>pure-ftpd: FTP brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -43,6 +43,7 @@
<rule id="11510" level="10" frequency="8" timeframe="120">
<if_matched_sid>11502</if_matched_sid>
<same_source_ip />
<description>MS-FTP: FTP brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -923,12 +923,14 @@
<rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<same_source_ip />
<description>Multiple Windows Logon Failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_sid>18105</if_matched_sid>
<same_source_ip />
<description>Multiple Windows audit failure events.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
@@ -985,3 +987,4 @@
</rule>
</group>
@@ -138,12 +138,14 @@
<rule id="19152" level="10" frequency="8" timeframe="120">
<if_matched_sid>19111</if_matched_sid>
<same_source_ip />
<description>Multiple VMWare ESX authentication failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="19153" level="10" frequency="8" timeframe="120">
<if_matched_sid>19113</if_matched_sid>
<same_source_ip />
<description>Multiple VMWare ESX user authentication failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -65,6 +65,7 @@
<rule id="40111" level="10" frequency="12" timeframe="160">
<if_matched_group>authentication_failed</if_matched_group>
<same_source_ip />
<description>Multiple authentication failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -126,6 +126,7 @@ id (Decoder): AAA, UI, API, SSLVPN, EVENT, SSLLOG, APPFW, TCP, ROUTING, SNMP, AC
<rule id="80112" level="10" frequency="10" timeframe="120">
<if_matched_sid>80111</if_matched_sid>
<same_source_ip />
<description>Netscaler: Multiple non-http resource access denied</description>
<group>netscaler-sslvpn,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
@@ -49,6 +49,7 @@
<rule id="86806" level="12" frequency="7" timeframe="120">
<if_matched_sid>86804</if_matched_sid>
<same_source_ip />
<description>VShell multiple connection attempts within 2 minute by a host in the deny file, potential DOS or brute force attempt.</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>

0 comments on commit 88664be

Please sign in to comment.