1002 ;)))))) Am Freitag, 22. April 2016 19:07:32 UTC+2 schrieb [email protected]: > > These worked great, just wondering if you have any updates. > > On Thursday, March 3, 2016 at 12:46:38 PM UTC-5, LostInThe Tubez wrote: >> >> Good thread idea. I’ve copied a few Windows-centric rules below. Some of >> the rules that lean heavily on <match> could no doubt be improved, but they >> don’t bother me with false positives or performance issues in my small >> environment, so I don’t worry about it. YMMV. I also have some decoders and >> rules for Cowrie honeypots, but intend to polish those up and submit a pull >> request for those one of these days. If anyone is interested in testing >> them though, I could send those off list. >> >> >> >> <rule id="100006" level="8"> >> >> <if_sid>594</if_sid> >> >> <match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match> >> >> <description>A change has been made to the software that >> automatically runs at startup.</description> >> >> </rule> >> >> >> >> <rule id="100010" level="7"> >> >> <if_sid>18103</if_sid> >> >> <match>Length specified in network packet</match> >> >> <description>Somebody is sending malformed data to your SQL >> Server. You should probably investigate.</description> >> >> </rule> >> >> >> >> <rule id="100011" level="10"> >> >> <if_sid>18101</if_sid> >> >> <match>PSEXESVC|PsExec</match> >> >> <description>Remote access via PSEXEC. If this wasn't initiated >> by you, then you've got a problem.</description> >> >> </rule> >> >> >> >> <rule id="100013" level="8"> >> >> <if_sid>18102</if_sid> >> >> <id>^2004$</id> >> >> <match>diagnosed</match> >> >> <description>There's a problem with abnormal memory usage on this >> system! Please investigate the indicated processes.</description> >> >> </rule> >> >> >> >> <rule id="100014" level="7"> >> >> <if_sid>18104</if_sid> >> >> <id>4698</id> >> >> <description>A scheduled task has been created on this machine. >> Please review.</description> >> >> <info>Requires group policy modification to the Advanced Security >> Audit policy/Audit Other Object Access Events. See: >> https://technet.microsoft.com/en-us/library/dn319119.aspx</info> >> >> </rule> >> >> >> >> <rule id="100016" level="1"> >> >> <if_sid>18103</if_sid> >> >> <id>36874|36888</id> >> >> <group>recon_ssl,</group> >> >> <description>Add Schannel errors to the custom recon_ssl >> group</description> >> >> </rule> >> >> >> >> <rule id="100017" level="7" frequency="38" timeframe="120" ignore="1800"> >> >> <if_matched_group>recon_ssl</if_matched_group> >> >> <description>There have been over 40 SSL cipher suite probes in >> the last two minutes. Someone may be performing reconnaissance on your >> servers, assessing whether one of your SSL-enabled services is vulnerable >> to exploits.</description> >> >> <info>Unfortunately, Schannel errors are of limited usefulness. >> They occur without any indication of which IP address caused them, so >> consulting contextual log info or firewall logs is the only way to track >> down who is responsible.</info> >> >> </rule> >> >> >> >> <rule id="100022" level="7"> >> >> <if_sid>18103</if_sid> >> >> <id>^1000$|^1002$|^7023$|^7034$</id> >> >> <!--<match>Fault|terminate</match>--> >> >> <description>A program or service has crashed. Investigate as >> appropriate.</description> >> >> </rule> >> >> >> >> <rule id="100026" level="7"> >> >> <if_sid>18101</if_sid> >> >> <id>^7045$</id> >> >> <description>A new service has been installed on this >> computer.</description> >> >> </rule> >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On >> Behalf Of *[email protected] >> *Sent:* Thursday, March 3, 2016 6:35 AM >> *To:* ossec-list <[email protected]> >> *Subject:* [ossec-list] What's your favorite rules? >> >> >> >> I'm wondering what everyone's favorite rules are. >> >> >> >> I'm trying to come up with some new rules to tighten security, so I would >> like to hear (and see code snippets) or folks favorites, and what they are >> designed to detect. I.E. detect commands run, look for certain IOC's and so >> on. I'm impressed with how much OSSEC does out of box too! >> >> >> >> Thanks! >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
