Permalink
Browse files

Adapt rules frequency removing the offset

  • Loading branch information...
chemamartinez committed Jun 21, 2018
1 parent 37e6b9c commit a650e873dbbdbc008206838068775206e363b2f0
Showing with 205 additions and 207 deletions.
  1. +1 −1 rules/0020-syslog_rules.xml
  2. +7 −7 rules/0025-sendmail_rules.xml
  3. +2 −2 rules/0030-postfix_rules.xml
  4. +1 −1 rules/0040-imapd_rules.xml
  5. +1 −1 rules/0045-mailscanner_rules.xml
  6. +2 −2 rules/0050-ms-exchange_rules.xml
  7. +2 −2 rules/0055-courier_rules.xml
  8. +1 −1 rules/0060-firewall_rules.xml
  9. +6 −6 rules/0065-pix_rules.xml
  10. +4 −4 rules/0070-netscreenfw_rules.xml
  11. +2 −2 rules/0080-sonicwall_rules.xml
  12. +1 −1 rules/0085-pam_rules.xml
  13. +1 −1 rules/0090-telnetd_rules.xml
  14. +6 −6 rules/0095-sshd_rules.xml
  15. +5 −5 rules/0105-asterisk_rules.xml
  16. +2 −2 rules/0135-hordeimp_rules.xml
  17. +2 −2 rules/0140-roundcube_rules.xml
  18. +2 −2 rules/0155-dovecot_rules.xml
  19. +1 −1 rules/0160-vmpop3d_rules.xml
  20. +3 −3 rules/0165-vpopmail_rules.xml
  21. +3 −3 rules/0175-proftpd_rules.xml
  22. +3 −3 rules/0180-pure-ftpd_rules.xml
  23. +2 −2 rules/0185-vsftpd_rules.xml
  24. +3 −3 rules/0190-ms_ftpd_rules.xml
  25. +1 −1 rules/0195-named_rules.xml
  26. +1 −1 rules/0205-racoon_rules.xml
  27. +1 −1 rules/0210-vpn_concentrator_rules.xml
  28. +1 −1 rules/0220-msauth_rules.xml
  29. +1 −1 rules/0225-mcafee_av_rules.xml
  30. +2 −2 rules/0230-ms-se_rules.xml
  31. +5 −5 rules/0235-vmware_rules.xml
  32. +3 −3 rules/0240-ids_rules.xml
  33. +7 −7 rules/0245-web_rules.xml
  34. +5 −5 rules/0250-apache_rules.xml
  35. +1 −1 rules/0255-zeus_rules.xml
  36. +1 −1 rules/0260-nginx_rules.xml
  37. +2 −2 rules/0270-web_appsec_rules.xml
  38. +2 −2 rules/0275-squid_rules.xml
  39. +4 −4 rules/0280-attack_rules.xml
  40. +1 −1 rules/0295-mysql_rules.xml
  41. +2 −2 rules/0300-postgresql_rules.xml
  42. +2 −2 rules/0305-dropbear_rules.xml
  43. +1 −1 rules/0320-clam_av_rules.xml
  44. +6 −6 rules/0345-netscaler_rules.xml
  45. +2 −2 rules/0350-amazon_rules.xml
  46. +2 −2 rules/0360-serv-u_rules.xml
  47. +12 −12 rules/0390-fortigate_rules.xml
  48. +1 −1 rules/0395-hp_rules.xml
  49. +2 −2 rules/0400-openvpn_rules.xml
  50. +1 −1 rules/0405-rsa-auth-manager_rules.xml
  51. +23 −23 rules/0440-ms_sqlserver_rules.xml
  52. +5 −5 rules/0445-identity_guard_rules.xml
  53. +1 −1 rules/0450-mongodb_rules.xml
  54. +2 −2 rules/0470-vshell_rules.xml
  55. +2 −2 rules/0495-proxmox-ve_rules.xml
  56. +6 −6 rules/0500-owncloud_rules.xml
  57. +2 −3 rules/0515-exim_rules.xml
  58. +3 −3 rules/0525-openvas_rules.xml
  59. +1 −2 rules/0540-pfsense_rules.xml
  60. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_da.xml
  61. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_de.xml
  62. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_en.xml
  63. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_es.xml
  64. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_fr.xml
  65. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_fr_funny.xml
  66. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_it.xml
  67. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_nl.xml
  68. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_no.xml
  69. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_pt_br.xml
  70. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_ro.xml
  71. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_sk.xml
  72. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml
  73. +2 −2 rules/translated/pure_ftpd/pure-ftpd_rules_tr.xml
@@ -182,7 +182,7 @@
<group>gdpr_IV_32.2,</group>
</rule>
<rule id="2509" level="5" timeframe="10" frequency="0">
<rule id="2509" level="5" timeframe="10" frequency="2">
<if_sid>2507</if_sid>
<if_matched_sid>2508</if_matched_sid>
<same_id />
@@ -78,53 +78,53 @@
<group>system_error,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3151" level="10" frequency="6" timeframe="120">
<rule id="3151" level="10" frequency="8" timeframe="120">
<if_matched_sid>3102</if_matched_sid>
<same_source_ip />
<description>sendmail: Sender domain has bogus MX record. </description>
<description>It should not be sending e-mail.</description>
<group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3152" level="6" frequency="6" timeframe="120">
<rule id="3152" level="6" frequency="8" timeframe="120">
<if_matched_sid>3103</if_matched_sid>
<same_source_ip />
<description>sendmail: Multiple attempts to send e-mail from a </description>
<description>previously rejected sender (access).</description>
<group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3153" level="6" frequency="6" timeframe="120">
<rule id="3153" level="6" frequency="8" timeframe="120">
<if_matched_sid>3104</if_matched_sid>
<same_source_ip />
<description>sendmail: Multiple relaying attempts of spam.</description>
<group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3154" level="10" frequency="6" timeframe="120">
<rule id="3154" level="10" frequency="8" timeframe="120">
<if_matched_sid>3105</if_matched_sid>
<same_source_ip />
<description>sendmail: Multiple attempts to send e-mail </description>
<description>from invalid/unknown sender domain.</description>
<group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3155" level="10" frequency="6" timeframe="120">
<rule id="3155" level="10" frequency="8" timeframe="120">
<if_matched_sid>3106</if_matched_sid>
<same_source_ip />
<description>sendmail: Multiple attempts to send e-mail from </description>
<description>invalid/unknown sender.</description>
<group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3156" level="10" frequency="10" timeframe="120">
<rule id="3156" level="10" frequency="12" timeframe="120">
<if_matched_sid>3107</if_matched_sid>
<same_source_ip />
<description>sendmail: Multiple rejected e-mails from same source ip.</description>
<group>multiple_spam,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3158" level="10" frequency="6" timeframe="120">
<rule id="3158" level="10" frequency="8" timeframe="120">
<if_matched_sid>3108</if_matched_sid>
<same_source_ip />
<description>sendmail: Multiple pre-greetings rejects.</description>
@@ -7,7 +7,7 @@
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<var name="POSTFIX_FREQ">6</var>
<var name="POSTFIX_FREQ">8</var>
<group name="syslog,postfix,">
<rule id="3300" level="0">
@@ -157,7 +157,7 @@
<group>multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
<rule id="3357" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>3332</if_matched_sid>
<same_source_ip />
<description>Postfix: Multiple SASL authentication failures.</description>
@@ -6,7 +6,7 @@
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<var name="IMAPD_FREQ">6</var>
<var name="IMAPD_FREQ">8</var>
<group name="syslog,imapd,">
<rule id="3600" level="0" noalert="1">
@@ -25,7 +25,7 @@
<group>spam,</group>
</rule>
<rule id="3751" level="6" frequency="6" timeframe="180">
<rule id="3751" level="6" frequency="8" timeframe="180">
<if_matched_sid>3702</if_matched_sid>
<same_source_ip />
<description>mailscanner: Multiple attempts of spam.</description>
@@ -27,14 +27,14 @@
<group>spam,</group>
</rule>
<rule id="3851" level="9" frequency="10" timeframe="120" ignore="120">
<rule id="3851" level="9" frequency="12" timeframe="120" ignore="120">
<if_matched_sid>3801</if_matched_sid>
<same_source_ip />
<description>ms-exchange: Multiple e-mail attempts to an invalid account.</description>
<group>multiple_spam,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="3852" level="9" frequency="12" timeframe="120" ignore="240">
<rule id="3852" level="9" frequency="14" timeframe="120" ignore="240">
<if_matched_sid>3802</if_matched_sid>
<same_source_ip />
<description>ms-exchange: Multiple e-mail 500 error code (spam).</description>
@@ -40,14 +40,14 @@
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<rule id="3910" level="10" frequency="10" timeframe="30">
<rule id="3910" level="10" frequency="12" timeframe="30">
<if_matched_sid>3902</if_matched_sid>
<description>Courier brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
<same_source_ip />
</rule>
<rule id="3911" level="10" frequency="15" timeframe="30">
<rule id="3911" level="10" frequency="17" timeframe="30">
<if_matched_sid>3901</if_matched_sid>
<same_source_ip />
<description>Courier: Multiple connection attempts from same source.</description>
@@ -23,7 +23,7 @@
<group>firewall_drop,pci_dss_1.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4151" level="10" frequency="16" timeframe="45" ignore="240">
<rule id="4151" level="10" frequency="18" timeframe="45" ignore="240">
<if_matched_sid>4101</if_matched_sid>
<same_source_ip />
<description>Multiple Firewall drop events from same source.</description>
@@ -191,38 +191,38 @@
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="4380" level="10" frequency="6" timeframe="360">
<rule id="4380" level="10" frequency="8" timeframe="360">
<if_matched_sid>4310</if_matched_sid>
<description>Multiple PIX alert messages.</description>
<group>pci_dss_10.6.1,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4381" level="10" frequency="6" timeframe="360">
<rule id="4381" level="10" frequency="8" timeframe="360">
<if_matched_sid>4311</if_matched_sid>
<description>PIX: Multiple critical messages.</description>
<group>pci_dss_10.6.1,pci_dss_11.4,gpg13_4.1,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4382" level="10" frequency="8" timeframe="120">
<rule id="4382" level="10" frequency="10" timeframe="120">
<if_matched_sid>4312</if_matched_sid>
<description>PIX: Multiple error messages.</description>
<group>system_error,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.3,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4383" level="10" frequency="8" timeframe="120">
<rule id="4383" level="10" frequency="10" timeframe="120">
<if_matched_sid>4313</if_matched_sid>
<description>PIX: Multiple warning messages.</description>
<group>pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4385" level="10" frequency="8" timeframe="240" ignore="90">
<rule id="4385" level="10" frequency="10" timeframe="240" ignore="90">
<if_matched_sid>4333</if_matched_sid>
<same_source_ip />
<description>PIX: Multiple attack in progress messages.</description>
<group>pci_dss_10.6.1,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4386" level="10" frequency="8" timeframe="240">
<rule id="4386" level="10" frequency="10" timeframe="240">
<if_matched_sid>4334</if_matched_sid>
<description>PIX: Multiple AAA (VPN) authentication failures.</description>
<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
@@ -79,28 +79,28 @@
<group>config_changed,pci_dss_1.1.1,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4550" level="10" frequency="4" timeframe="180" ignore="60">
<rule id="4550" level="10" frequency="6" timeframe="180" ignore="60">
<if_matched_sid>4503</if_matched_sid>
<same_source_ip />
<description>Netscreen firewall: Multiple critical messages from </description>
<description>same source IP.</description>
<group>pci_dss_1.4,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.1,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4551" level="10" frequency="6" timeframe="180" ignore="60">
<rule id="4551" level="10" frequency="8" timeframe="180" ignore="60">
<if_matched_sid>4503</if_matched_sid>
<description>Netscreen firewall: Multiple critical messages.</description>
</rule>
<rule id="4552" level="10" frequency="4" timeframe="180" ignore="60">
<rule id="4552" level="10" frequency="6" timeframe="180" ignore="60">
<if_matched_sid>4513</if_matched_sid>
<same_source_ip />
<description>Netscreen firewall: Multiple alert messages from </description>
<description>same source IP.</description>
<group>pci_dss_1.4,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4553" level="10" frequency="8" timeframe="100" ignore="60">
<rule id="4553" level="10" frequency="10" timeframe="100" ignore="60">
<if_matched_sid>4513</if_matched_sid>
<description>Netscreen firewall: Multiple alert messages.</description>
</rule>
@@ -71,13 +71,13 @@
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_3.6,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="4850" level="10" frequency="6" timeframe="120" ignore="60">
<rule id="4850" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>4804</if_matched_sid>
<description>SonicWall: Multiple firewall warning messages.</description>
<group>service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4851" level="10" frequency="6" timeframe="120" ignore="60">
<rule id="4851" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>4803</if_matched_sid>
<description>SonicWall: Multiple firewall error messages.</description>
<group>service_availability,pci_dss_10.6.1,gpg13_3.5,gdpr_IV_35.7.d,</group>
@@ -61,7 +61,7 @@
<description>PAM: Ignoring events with a user or a password.</description>
</rule>
<rule id="5551" level="10" frequency="6" timeframe="180">
<rule id="5551" level="10" frequency="8" timeframe="180">
<if_matched_sid>5503</if_matched_sid>
<same_source_ip />
<description>PAM: Multiple failed logins in a small period of time.</description>
@@ -40,7 +40,7 @@
<group>gdpr_IV_35.7.d,</group>
</rule>
<rule id="5631" level="10" frequency="6" timeframe="120">
<rule id="5631" level="10" frequency="8" timeframe="120">
<if_matched_sid>5602</if_matched_sid>
<same_source_ip />
<description>telnetd: Multiple connection attempts from same source </description>
@@ -28,7 +28,7 @@
<group>pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
</rule>
<rule id="5703" level="10" frequency="4" timeframe="360">
<rule id="5703" level="10" frequency="6" timeframe="360">
<if_matched_sid>5702</if_matched_sid>
<description>sshd: Possible breakin attempt </description>
<description>(high number of reverse lookup errors).</description>
@@ -41,7 +41,7 @@
<description>sshd: Timeout while logging in.</description>
</rule>
<rule id="5705" level="10" frequency="4" timeframe="360">
<rule id="5705" level="10" frequency="6" timeframe="360">
<if_matched_sid>5704</if_matched_sid>
<description>sshd: Possible scan or breakin attempt </description>
<description>(high number of login timeouts).</description>
@@ -86,7 +86,7 @@
<description>sshd: Useless/Duplicated SSHD message without a user/ip.</description>
</rule>
<rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
<rule id="5712" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>5710</if_matched_sid>
<description>sshd: brute force trying to get access to </description>
<description>the system.</description>
@@ -100,7 +100,7 @@
<description>sshd: Corrupted bytes on SSHD.</description>
</rule>
<rule id="5714" level="14" timeframe="120" frequency="1">
<rule id="5714" level="14" timeframe="120" frequency="3">
<if_matched_sid>5713</if_matched_sid>
<match>Local: crc32 compensation attack</match>
<description>sshd: SSH CRC-32 Compensation attack</description>
@@ -136,13 +136,13 @@
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
<rule id="5719" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>5718</if_matched_sid>
<description>sshd: Multiple access attempts using a denied user.</description>
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="5720" level="10" frequency="6">
<rule id="5720" level="10" frequency="8">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>sshd: Multiple authentication failures.</description>
@@ -54,21 +54,21 @@
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="6250" level="10" frequency="6" timeframe="300">
<rule id="6250" level="10" frequency="8" timeframe="300">
<if_matched_sid>6211</if_matched_sid>
<same_source_ip />
<description>Asterisk: Multiple failed logins (user enumeration in process).</description>
<group>pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="6251" level="10" frequency="6" timeframe="300">
<rule id="6251" level="10" frequency="8" timeframe="300">
<if_matched_sid>6210</if_matched_sid>
<same_source_ip />
<description>Asterisk: Multiple failed logins.</description>
<group>pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="6252" level="10" frequency="6" timeframe="300">
<rule id="6252" level="10" frequency="8" timeframe="300">
<if_matched_sid>6212</if_matched_sid>
<same_source_ip />
<description>Asterisk: Extension enumeration.</description>
@@ -85,7 +85,7 @@
</rule>
<!--From Javi Benito jabi.benito@gmail.com-->
<rule id="6254" level="10" frequency="3" timeframe="300">
<rule id="6254" level="10" frequency="5" timeframe="300">
<if_matched_sid>6253</if_matched_sid>
<same_source_ip />
<description>Asterisk: Extension IAX Enumeration.</description>
@@ -109,7 +109,7 @@
</rule>
<!--From Javi Benito jabi.benito@gmail.com-->
<rule id="6257" level="10" frequency="3" timeframe="300">
<rule id="6257" level="10" frequency="5" timeframe="300">
<if_matched_sid>6256</if_matched_sid>
<same_source_ip />
<description>Asterisk: Multiple failed logins.</description>
@@ -52,14 +52,14 @@
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="9351" level="10" frequency="6" timeframe="120">
<rule id="9351" level="10" frequency="8" timeframe="120">
<if_matched_sid>9306</if_matched_sid>
<same_source_ip />
<description>Horde brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="9352" level="10" frequency="4" timeframe="320">
<rule id="9352" level="10" frequency="6" timeframe="320">
<if_matched_sid>9304</if_matched_sid>
<description>Multiple Horde emergency messages.</description>
<group>service_availability,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,</group>
@@ -27,10 +27,10 @@
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<rule id="9403" level="10" frequency="6" timeframe="120">
<rule id="9403" level="10" frequency="8" timeframe="120">
<if_matched_sid>9401</if_matched_sid>
<same_source_ip />
<description>Roundcube brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
</group>
</group>
Oops, something went wrong.

0 comments on commit a650e87

Please sign in to comment.