This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule "Extract Snort alert fields" | |
when | |
has_field("message") | |
then | |
let m = regex("^\\s?\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)] \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}):(\\d{1,5}) -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}):(\\d{1,5})\\R?", to_string($message.message)); | |
set_field("snort_alert", true); | |
set_field("generator_id", m["0"]); | |
set_field("signature_id", m["1"]); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule "command_and_control_sunburst_dst_ip" | |
// Written by Recon InfoSec SOC Team | |
// | |
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv | |
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv | |
when | |
has_field("dst_ip_is_internal") | |
AND | |
to_string($message.dst_ip_is_internal) == "false" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule "command_and_control_sunburst_dst_hostname" | |
// Written by Recon InfoSec SOC Team | |
// | |
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv | |
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv | |
when | |
has_field("dst_ip_is_internal") | |
AND | |
to_string($message.dst_ip_is_internal) == "false" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pi@parabola:~ $ ifconfig | |
eth0 Link encap:Ethernet HWaddr b8:27:eb:0f:0e:d4 | |
inet addr:172.16.0.136 Bcast:172.16.0.255 Mask:255.255.255.0 | |
inet6 addr: fe80::8966:2353:4688:c9a/64 Scope:Link | |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
RX packets:349 errors:0 dropped:8 overruns:0 frame:0 | |
TX packets:378 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:1000 | |
RX bytes:75761 (73.9 KiB) TX bytes:69865 (68.2 KiB) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pi@parabola:~ $ ifconfig | |
eth0 Link encap:Ethernet HWaddr b8:27:eb:0f:0e:d4 | |
inet addr:172.16.0.136 Bcast:172.16.0.255 Mask:255.255.255.0 | |
inet6 addr: fe80::8966:2353:4688:c9a/64 Scope:Link | |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | |
RX packets:1327 errors:0 dropped:22 overruns:0 frame:0 | |
TX packets:1118 errors:0 dropped:0 overruns:0 carrier:0 | |
collisions:0 txqueuelen:1000 | |
RX bytes:290630 (283.8 KiB) TX bytes:233228 (227.7 KiB) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
interfaces: { | |
rest_listen_uri: "https://0.0.0.0:22900/" | |
http_external_uri: "https://nzyme.example.org:22900/" | |
use_tls: true | |
tls_certificate_path: /path/to/cert.pem | |
tls_key_path: /path/to/key.pem | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
distinguished_name = req_distinguished_name | |
x509_extensions = v3_req | |
prompt = no | |
# Details about the issuer of the certificate | |
[req_distinguished_name] | |
C = US | |
ST = Some-State | |
L = Some-City |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
type: email | |
enabled: false | |
# One of: SMTP, SMTPS or SMTP_TLS | |
transport_strategy: SMTP_TLS | |
host: smtp.example.org | |
port: 587 | |
username: "your_username" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alerting { | |
# Notifications and callbacks for triggered alerts. | |
callbacks: [ | |
{ | |
type: email | |
enabled: false | |
# One of: SMTP, SMTPS or SMTP_TLS | |
transport_strategy: SMTP_TLS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
output.logstash: | |
hosts: ["192.168.191.10:5044", "192.168.191.20:5044"] | |
loadbalance: false | |
winlogbeat: | |
event_logs: | |
- name: Application | |
- name: System | |
- name: Security | |
- name: Microsoft-Windows-Sysmon/Operational |
NewerOlder