Beave's Readthedocs.org Blog.
beave / sagan-rules Goto Github PK
View Code? Open in Web Editor NEWRule sets for Sagan
Home Page: http://sagan.quadrantsec.com
Rule sets for Sagan
Home Page: http://sagan.quadrantsec.com
after: track by_src, count 5, seconds: 86400;
Sagan will segfault because of the ":" after "seconds".
Create flowbits based on anything found in a log. For instance, pull a username from a log and create a flowbit named the same as the username (user bob would have a flowbit called "bob"). Idea is to be able to track the DC a user normally logs into and alert when they log into a different DC.
Can the rulebase files be bundled into an additional location besides the rules file?
http://sagan.softwink.com/rules/|sagan-rules-current.tar.gz
FYI: Created issue for pulledpork on .rulebase files
possible "dead lock" issue when bluedot returns an "empty response".
SID 5003939 in the latest commit has 'sid:' twice.
Current:
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[RSA-DPM] Physical Memory status RED [Critical]"; content: "RKMA_MONITORING_EVENT"; content: "|5b|Type|3a|Physical"; content: "RED"; distance: 45; within: 25; threshold: type threshold, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003939; sid: sid:5003939; rev:2;)
change:
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[RSA-DPM] Physical Memory status RED [Critical]"; content: "RKMA_MONITORING_EVENT"; content: "|5b|Type|3a|Physical"; content: "RED"; distance: 45; within: 25; threshold: type threshold, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003939; sid:5003939; rev:2;)
Could these be disabled by default?
Some normalization rules match only ipv4 addresses: e.g.
rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
However, I see this message for real with IPv6 addresses, and it's not getting normalized.
Some rules are duplicated to match both ipv4 and ipv6. And some try to, but are obviously broken:
rule=: Did not receive identification string from %src-p:ipv4%
rule=: Did not receive identification string from %src-ip:ipv6%
I think a better solution is to define a user-defined type which matches both IPv4 and IPv6, and update the rules to use it.
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: Security; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002819; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002819; rev:7;)
When starting a sagan with the rules, an error is issued:
[E] [rules.c, line 2879] Invalid threshold time 'seconds' at line 31 in /usr/local/etc/sagan-rules/honeyd.rules. Abort.
There are rules like facility: kern
which should be syslog_facility: kern
(There don't seem to any which would need changing to syslog_level
, syslog_tag
or syslog_priority
)
This is currently made moot by beave/sagan#140
No warning is generated for the bad rules: beave/sagan#141
sagan-rules/windows-sysmon.rules
Line 86 in 6f87a80
Seems to detect
1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges
What would be the best way to tighten that rule up? Maybe something like this?
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)
I'm currently working with CentOS 6.4 and I'm having issues getting the ./configure setup to recognize the mysql libraries that I have verified are installed. I noticed in a few versions back you could specify the mysql library directory and include directory. This is no longer available in the current configure.in file. Any change on getting this added?
The website that hosts the rules:
[ ] sagan-rules-05032012..> 03-May-2012 20:25 98K
[ ] sagan-rules-current...> 03-May-2012 20:25 98K
[TXT] sagan-rules-05032012..> 03-May-2012 20:26 70
Note:
http://sagan.quadrantsec.com/rules/sagan-rules-05032012.tar.gz
http://sagan.quadrantsec.com/rules/sagan-rules-05032012.tar.gz-sha.txt
http://sagan.quadrantsec.com/rules/sagan-rules-current.tar.gz
This is breaking the pulledpork download hash verification step.
For 5003377, would you consider also excluding events with IPv4 and IPv6 link-local addresses for the Source Network Address?
alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [FLOWBIT SET]"; content: " 1074|3a| "; program: System|USER32; xbits: set, reboot.windows, 60; xbits: noalert; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:7;)
The rule for "1100: The event logging service has shut down" isn't recognizing the reboot.windows flowbit.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.