perdition (imap/pop3 proxy) rule #407
Conversation
|
Hello @gkissand, Thanks for your contribution. We will review it and if possible, it will be added to Wazuh-Ruleset. Juan Pablo Sáez |
rules/0625-perdition_rules.xml
Outdated
| - Author: George Kissandrakis <gkissand@gmail.com> | ||
| --> | ||
| <group name="syslog,perdition"> | ||
| <rule id="100100" level="0"> |
There was a problem hiding this comment.
Hi, rule IDs greater than 100000 are reserved for custom rules. Please change these IDs to others less than 100000.
Thanks.
There was a problem hiding this comment.
Hi,
Should I do the rule id changes?
If so, is there an inventory of rule ids not to use an id that is already in use?
Thank you
George
There was a problem hiding this comment.
Hi @gkissand,
First of all, thanks for your contribution to the project.
I think the best solution here is to add this group of rules to the syslog dedicated file: https://github.com/wazuh/wazuh-ruleset/blob/3.10/rules/0020-syslog_rules.xml
That way we are not creating a new file for three rules related to syslog. You can continue the rule IDs account for that file. I would use IDs 2961-2963.
Regards.
|
I added perdition rules in the syslog file as recommended |
Hi @gkissand, I cannot see any change in the Syslog rules file. Have you pushed your last changes? Regards. |
|
As you might have realized I am not very familiar with github/git. I think I managed this time. If it's not problem, feel free to do any changes needed for merging to master thank you |
Now I see the rules duplicated, don't worry about it, I'll fix it while merging. Thanks again for the contribution and for applying the requested changes. It will be available in the next minor version (3.10.0). Regards. |
This decoder and rule will monitor perdition connections and create a level 10 alert on multiple connections from same source ip
For maintainers: PCI tags, descriptions etc were copied from pure-ftp decoders/rules. It successfully detected DoS attacks (tested live)