Good thread idea. I’ve copied a few Windows-centric rules below. Some of the
rules that lean heavily on <match> could no doubt be improved, but they don’t
bother me with false positives or performance issues in my small environment,
so I don’t worry about it. YMMV. I also have some decoders and rules for Cowrie
honeypots, but intend to polish those up and submit a pull request for those
one of these days. If anyone is interested in testing them though, I could send
those off list.
<rule id="100006" level="8">
<if_sid>594</if_sid>
<match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match>
<description>A change has been made to the software that automatically
runs at startup.</description>
</rule>
<rule id="100010" level="7">
<if_sid>18103</if_sid>
<match>Length specified in network packet</match>
<description>Somebody is sending malformed data to your SQL Server. You
should probably investigate.</description>
</rule>
<rule id="100011" level="10">
<if_sid>18101</if_sid>
<match>PSEXESVC|PsExec</match>
<description>Remote access via PSEXEC. If this wasn't initiated by you,
then you've got a problem.</description>
</rule>
<rule id="100013" level="8">
<if_sid>18102</if_sid>
<id>^2004$</id>
<match>diagnosed</match>
<description>There's a problem with abnormal memory usage on this
system! Please investigate the indicated processes.</description>
</rule>
<rule id="100014" level="7">
<if_sid>18104</if_sid>
<id>4698</id>
<description>A scheduled task has been created on this machine. Please
review.</description>
<info>Requires group policy modification to the Advanced Security Audit
policy/Audit Other Object Access Events. See:
https://technet.microsoft.com/en-us/library/dn319119.aspx</info>
</rule>
<rule id="100016" level="1">
<if_sid>18103</if_sid>
<id>36874|36888</id>
<group>recon_ssl,</group>
<description>Add Schannel errors to the custom recon_ssl
group</description>
</rule>
<rule id="100017" level="7" frequency="38" timeframe="120" ignore="1800">
<if_matched_group>recon_ssl</if_matched_group>
<description>There have been over 40 SSL cipher suite probes in the
last two minutes. Someone may be performing reconnaissance on your servers,
assessing whether one of your SSL-enabled services is vulnerable to
exploits.</description>
<info>Unfortunately, Schannel errors are of limited usefulness. They
occur without any indication of which IP address caused them, so consulting
contextual log info or firewall logs is the only way to track down who is
responsible.</info>
</rule>
<rule id="100022" level="7">
<if_sid>18103</if_sid>
<id>^1000$|^1002$|^7023$|^7034$</id>
<!--<match>Fault|terminate</match>-->
<description>A program or service has crashed. Investigate as
appropriate.</description>
</rule>
<rule id="100026" level="7">
<if_sid>18101</if_sid>
<id>^7045$</id>
<description>A new service has been installed on this
computer.</description>
</rule>
From: [email protected] [mailto:[email protected]] On
Behalf Of [email protected]
Sent: Thursday, March 3, 2016 6:35 AM
To: ossec-list <[email protected]>
Subject: [ossec-list] What's your favorite rules?
I'm wondering what everyone's favorite rules are.
I'm trying to come up with some new rules to tighten security, so I would like
to hear (and see code snippets) or folks favorites, and what they are designed
to detect. I.E. detect commands run, look for certain IOC's and so on. I'm
impressed with how much OSSEC does out of box too!
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]
<mailto:[email protected]> .
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
