Merge branch '3.7'

CHANGELOG.md

@@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file.
 
 - osquery: Rename alerts fields reference. ([#196](https://github.com/wazuh/wazuh-ruleset/pull/196))
 - update_ruleset is not available in worker nodes. ([#225](https://github.com/wazuh/wazuh-ruleset/pull/225))
+- Update composite rules to match only same_source_ip events. ([#161](https://github.com/wazuh/wazuh-ruleset/pull/161))
 
 ### Fixed
 

VERSION

@@ -1,2 +1,2 @@
 RULESET_VERSION="v3.7.0"
-REVISION="3701"
+REVISION="3702"

rules/0065-pix_rules.xml

@@ -226,5 +226,6 @@
     <if_matched_sid>4334</if_matched_sid>
     <description>PIX: Multiple AAA (VPN) authentication failures.</description>
     <group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
+    <same_source_ip />
   </rule>
 </group>

rules/0090-telnetd_rules.xml

@@ -9,7 +9,7 @@
 
 <group name="syslog,telnetd,">
   <rule id="5600" level="0" noalert="1">
-    <match>telnetd</match>
+    <decoded_as>telnetd</decoded_as>
     <description>Grouping for the telnetd rules</description>
   </rule>
 
@@ -22,13 +22,14 @@
 
   <rule id="5602" level="3">
     <if_sid>5600</if_sid>
-    <match>: connect from </match>
+    <match>connect from </match>
     <description>telnetd: Remote host established a telnet connection.</description>
     <group>gdpr_IV_32.2,</group>
   </rule>
 
   <rule id="5603" level="5" timeframe="1">
     <match>ttloop:  peer died:|ttloop:  read:</match>
+    <if_sid>5600</if_sid>
     <if_matched_sid>5602</if_matched_sid>
     <description>telnetd: Remote host invalid connection.</description>
     <group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
@@ -40,12 +41,12 @@
     <group>gdpr_IV_35.7.d,</group>
   </rule>
 
-  <rule id="5631" level="10" frequency="8" timeframe="120">
+  <rule id="5631" level="10" frequency="6" timeframe="120">
     <if_matched_sid>5602</if_matched_sid>
     <same_source_ip />
     <description>telnetd: Multiple connection attempts from same source </description>
     <description>(possible scan).</description>
     <group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>
 
-</group>
+</group>

rules/0095-sshd_rules.xml

@@ -30,6 +30,7 @@
 
   <rule id="5703" level="10" frequency="6" timeframe="360">
     <if_matched_sid>5702</if_matched_sid>
+    <same_source_ip />
     <description>sshd: Possible breakin attempt </description>
     <description>(high number of reverse lookup errors).</description>
     <group>pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>

rules/0180-pure-ftpd_rules.xml

@@ -49,6 +49,7 @@
 
   <rule id="11306" level="10" frequency="8" timeframe="120">
     <if_matched_sid>11302</if_matched_sid>
+    <same_source_ip />
     <description>pure-ftpd: FTP brute force (multiple failed logins).</description>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>

rules/0190-ms_ftpd_rules.xml

@@ -43,6 +43,7 @@
 
   <rule id="11510" level="10" frequency="8" timeframe="120">
     <if_matched_sid>11502</if_matched_sid>
+    <same_source_ip />
     <description>MS-FTP: FTP brute force (multiple failed logins).</description>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>

rules/0220-msauth_rules.xml

@@ -923,12 +923,14 @@
 
   <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
     <if_matched_group>win_authentication_failed</if_matched_group>
+    <same_source_ip />
     <description>Multiple Windows Logon Failures.</description>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>
 
   <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
     <if_matched_sid>18105</if_matched_sid>
+    <same_source_ip />
     <description>Multiple Windows audit failure events.</description>
     <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
   </rule>
@@ -985,3 +987,4 @@
   </rule>
 
 </group>
+

rules/0235-vmware_rules.xml

@@ -138,12 +138,14 @@
 
   <rule id="19152" level="10" frequency="8" timeframe="120">
     <if_matched_sid>19111</if_matched_sid>
+    <same_source_ip />
     <description>Multiple VMWare ESX authentication failures.</description>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>
 
   <rule id="19153" level="10" frequency="8" timeframe="120">
     <if_matched_sid>19113</if_matched_sid>
+    <same_source_ip />
     <description>Multiple VMWare ESX user authentication failures.</description>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>

rules/0280-attack_rules.xml

@@ -65,6 +65,7 @@
 
   <rule id="40111" level="10" frequency="12" timeframe="160">
     <if_matched_group>authentication_failed</if_matched_group>
+    <same_source_ip />
     <description>Multiple authentication failures.</description>
     <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>

rules/0345-netscaler_rules.xml

@@ -126,6 +126,7 @@ id (Decoder): AAA, UI, API, SSLVPN, EVENT, SSLLOG, APPFW, TCP, ROUTING, SNMP, AC
 
     <rule id="80112" level="10" frequency="10" timeframe="120">
         <if_matched_sid>80111</if_matched_sid>
+        <same_source_ip />
         <description>Netscaler: Multiple non-http resource access denied</description>
         <group>netscaler-sslvpn,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,</group>
     </rule>

rules/0470-vshell_rules.xml

@@ -49,6 +49,7 @@
 
   <rule id="86806" level="12" frequency="7" timeframe="120">
     <if_matched_sid>86804</if_matched_sid>
+    <same_source_ip />
     <description>VShell multiple connection attempts within 2 minute by a host in the deny file, potential DOS or brute force attempt.</description>
     <group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
   </rule>