Awesome, I would love to see more as you feel comfortable posting them. This was *exactly *what I was looking for.
Thanks! On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: > > Good thread idea. I’ve copied a few Windows-centric rules below. Some of > the rules that lean heavily on <match> could no doubt be improved, but they > don’t bother me with false positives or performance issues in my small > environment, so I don’t worry about it. YMMV. I also have some decoders and > rules for Cowrie honeypots, but intend to polish those up and submit a pull > request for those one of these days. If anyone is interested in testing > them though, I could send those off list. > > > > <rule id="100006" level="8"> > > <if_sid>594</if_sid> > > <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> > > <description>A change has been made to the software that > automatically runs at startup.</description> > > </rule> > > > > <rule id="100010" level="7"> > > <if_sid>18103</if_sid> > > <match>Length specified in network packet</match> > > <description>Somebody is sending malformed data to your SQL > Server. You should probably investigate.</description> > > </rule> > > > > <rule id="100011" level="10"> > > <if_sid>18101</if_sid> > > <match>PSEXESVC|PsExec</match> > > <description>Remote access via PSEXEC. If this wasn't initiated by > you, then you've got a problem.</description> > > </rule> > > > > <rule id="100013" level="8"> > > <if_sid>18102</if_sid> > > <id>^2004$</id> > > <match>diagnosed</match> > > <description>There's a problem with abnormal memory usage on this > system! Please investigate the indicated processes.</description> > > </rule> > > > > <rule id="100014" level="7"> > > <if_sid>18104</if_sid> > > <id>4698</id> > > <description>A scheduled task has been created on this machine. > Please review.</description> > > <info>Requires group policy modification to the Advanced Security > Audit policy/Audit Other Object Access Events. See: > https://technet.microsoft.com/en-us/library/dn319119.aspx</info> > > </rule> > > > > <rule id="100016" level="1"> > > <if_sid>18103</if_sid> > > <id>36874|36888</id> > > <group>recon_ssl,</group> > > <description>Add Schannel errors to the custom recon_ssl > group</description> > > </rule> > > > > <rule id="100017" level="7" frequency="38" timeframe="120" ignore="1800"> > > <if_matched_group>recon_ssl</if_matched_group> > > <description>There have been over 40 SSL cipher suite probes in > the last two minutes. Someone may be performing reconnaissance on your > servers, assessing whether one of your SSL-enabled services is vulnerable > to exploits.</description> > > <info>Unfortunately, Schannel errors are of limited usefulness. > They occur without any indication of which IP address caused them, so > consulting contextual log info or firewall logs is the only way to track > down who is responsible.</info> > > </rule> > > > > <rule id="100022" level="7"> > > <if_sid>18103</if_sid> > > <id>^1000$|^1002$|^7023$|^7034$</id> > > <!--<match>Fault|terminate</match>--> > > <description>A program or service has crashed. Investigate as > appropriate.</description> > > </rule> > > > > <rule id="100026" level="7"> > > <if_sid>18101</if_sid> > > <id>^7045$</id> > > <description>A new service has been installed on this > computer.</description> > > </rule> > > > > *From:* ossec...@googlegroups.com <javascript:> [mailto: > ossec...@googlegroups.com <javascript:>] *On Behalf Of * > namobud...@gmail.com <javascript:> > *Sent:* Thursday, March 3, 2016 6:35 AM > *To:* ossec-list <ossec...@googlegroups.com <javascript:>> > *Subject:* [ossec-list] What's your favorite rules? > > > > I'm wondering what everyone's favorite rules are. > > > > I'm trying to come up with some new rules to tighten security, so I would > like to hear (and see code snippets) or folks favorites, and what they are > designed to detect. I.E. detect commands run, look for certain IOC's and so > on. I'm impressed with how much OSSEC does out of box too! > > > > Thanks! > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
