Permalink
Browse files

Merge branch '3.7'

  • Loading branch information...
jesuslinares committed Nov 6, 2018
2 parents b9d5327 + e4b0fbc commit e4a02dfae7d7669241651485b80d458781edf1f4
View
@@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file.
- osquery: Rename alerts fields reference. ([#196](https://github.com/wazuh/wazuh-ruleset/pull/196))
- update_ruleset is not available in worker nodes. ([#225](https://github.com/wazuh/wazuh-ruleset/pull/225))
- Update composite rules to match only same_source_ip events. ([#161](https://github.com/wazuh/wazuh-ruleset/pull/161))
### Fixed
View
@@ -1,2 +1,2 @@
RULESET_VERSION="v3.7.0"
REVISION="3701"
REVISION="3702"
View
@@ -226,5 +226,6 @@
<if_matched_sid>4334</if_matched_sid>
<description>PIX: Multiple AAA (VPN) authentication failures.</description>
<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
<same_source_ip />
</rule>
</group>
@@ -9,7 +9,7 @@
<group name="syslog,telnetd,">
<rule id="5600" level="0" noalert="1">
<match>telnetd</match>
<decoded_as>telnetd</decoded_as>
<description>Grouping for the telnetd rules</description>
</rule>
@@ -22,13 +22,14 @@
<rule id="5602" level="3">
<if_sid>5600</if_sid>
<match>: connect from </match>
<match>connect from </match>
<description>telnetd: Remote host established a telnet connection.</description>
<group>gdpr_IV_32.2,</group>
</rule>
<rule id="5603" level="5" timeframe="1">
<match>ttloop: peer died:|ttloop: read:</match>
<if_sid>5600</if_sid>
<if_matched_sid>5602</if_matched_sid>
<description>telnetd: Remote host invalid connection.</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
@@ -40,12 +41,12 @@
<group>gdpr_IV_35.7.d,</group>
</rule>
<rule id="5631" level="10" frequency="8" timeframe="120">
<rule id="5631" level="10" frequency="6" timeframe="120">
<if_matched_sid>5602</if_matched_sid>
<same_source_ip />
<description>telnetd: Multiple connection attempts from same source </description>
<description>(possible scan).</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
</group>
</group>
@@ -30,6 +30,7 @@
<rule id="5703" level="10" frequency="6" timeframe="360">
<if_matched_sid>5702</if_matched_sid>
<same_source_ip />
<description>sshd: Possible breakin attempt </description>
<description>(high number of reverse lookup errors).</description>
<group>pci_dss_11.4,gpg13_4.12,gdpr_IV_35.7.d,</group>
@@ -49,6 +49,7 @@
<rule id="11306" level="10" frequency="8" timeframe="120">
<if_matched_sid>11302</if_matched_sid>
<same_source_ip />
<description>pure-ftpd: FTP brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -43,6 +43,7 @@
<rule id="11510" level="10" frequency="8" timeframe="120">
<if_matched_sid>11502</if_matched_sid>
<same_source_ip />
<description>MS-FTP: FTP brute force (multiple failed logins).</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -923,12 +923,14 @@
<rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<same_source_ip />
<description>Multiple Windows Logon Failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_sid>18105</if_matched_sid>
<same_source_ip />
<description>Multiple Windows audit failure events.</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
@@ -985,3 +987,4 @@
</rule>
</group>
@@ -138,12 +138,14 @@
<rule id="19152" level="10" frequency="8" timeframe="120">
<if_matched_sid>19111</if_matched_sid>
<same_source_ip />
<description>Multiple VMWare ESX authentication failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
<rule id="19153" level="10" frequency="8" timeframe="120">
<if_matched_sid>19113</if_matched_sid>
<same_source_ip />
<description>Multiple VMWare ESX user authentication failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -65,6 +65,7 @@
<rule id="40111" level="10" frequency="12" timeframe="160">
<if_matched_group>authentication_failed</if_matched_group>
<same_source_ip />
<description>Multiple authentication failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>
@@ -126,6 +126,7 @@ id (Decoder): AAA, UI, API, SSLVPN, EVENT, SSLLOG, APPFW, TCP, ROUTING, SNMP, AC
<rule id="80112" level="10" frequency="10" timeframe="120">
<if_matched_sid>80111</if_matched_sid>
<same_source_ip />
<description>Netscaler: Multiple non-http resource access denied</description>
<group>netscaler-sslvpn,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>
@@ -49,6 +49,7 @@
<rule id="86806" level="12" frequency="7" timeframe="120">
<if_matched_sid>86804</if_matched_sid>
<same_source_ip />
<description>VShell multiple connection attempts within 2 minute by a host in the deny file, potential DOS or brute force attempt.</description>
<group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>

0 comments on commit e4a02df

Please sign in to comment.