Skip to content

Instantly share code, notes, and snippets.

@defensivedepth
Created March 31, 2021 16:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save defensivedepth/c29934570bd00af120ec4b799d15eb5a to your computer and use it in GitHub Desktop.
Save defensivedepth/c29934570bd00af120ec4b799d15eb5a to your computer and use it in GitHub Desktop.
Sigma rule for Internal Cleartext Protocol Usage
title: Internal Cleartext Protocol Usage
status: experimental
description: Detects common cleartext procotols from internal endpoints.
author: Josh Brower
logsource:
category: firewall
defintion: Tweak logsource to whichever logsource is used in the local environment ie Zeek Conn.
detection:
internal_ip:
src_ip|startswith:
- '192.168.'
- '10.'
- '172.16.'
- '172.17.'
- '172.18.'
- '172.19.'
- '172.20.'
- '172.21.'
- '172.22.'
- '172.23.'
- '172.24.'
- '172.25.'
- '172.26.'
- '172.27.'
- '172.28.'
- '172.29.'
- '172.30.'
- '172.31.'
cleartext_protocol:
dst_port:
- 20 #FTP Data
- 21 #FTP Control
- 23 #Telnet
- 161 #SNMP
- 162 #SNMP
- 143 #IMAP
- 110 #POP3
- 389 #LDAP
condition: internal_ip and cleartext_protocol
falsepositives:
- Unknown
fields:
- src_ip
level: medium
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment