Merge pull request #3584 from redsand/fp_fixes_some_logic_errors

FP: fixes some logic errors where conditions could not be met

rules/compliance/firewall_cleartext_protocols.yml

@@ -3,9 +3,9 @@ id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
 status: stable
 description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
     is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
-author: Alexandr Yampolskyi, SOC Prime
+author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
 date: 2019/03/26
-modified: 2021/11/23
+modified: 2022/10/10
 references:
     - https://www.cisecurity.org/controls/cis-controls-list/
     - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
@@ -13,7 +13,7 @@ references:
 logsource:
     category: firewall
 detection:
-    selection1:
+    selection:
         dst_port:
             - 8080
             - 21
@@ -31,12 +31,14 @@ detection:
             - 5902
             - 5903
             - 5904
-    selection2:
+    selection_allow1:
         action:
             - forward
             - accept
             - 2
-    condition: all of selection*
+    selection_allow2:
+        blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
+    condition: selection and 1 of selection_allow*
 falsepositives:
     - Unknown
 level: low
@@ -82,4 +84,4 @@ level: low
     # - PCI DSS 3.2 4.3
     # - PCI DSS 3.2 7.1
     # - PCI DSS 3.2 7.2
-    # - PCI DSS 3.2 7.3
+    # - PCI DSS 3.2 7.3

rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

@@ -2,11 +2,11 @@ title: First Time Seen Remote Named Pipe - Zeek
 id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
 status: test
 description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
-author: 'Samir Bousseaden, @neu5ron'
+author: Samir Bousseaden, @neu5ron, Tim Shelton
 references:
   - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
 date: 2020/04/02
-modified: 2021/11/27
+modified: 2022/10/10
 logsource:
   product: zeek
   service: smb_files
@@ -14,9 +14,6 @@ detection:
   selection1:
     path: \\\*\IPC$
   selection2:
-    path: \\\*\IPC$
-    name:
-      - 'atsvc'
       - 'samr'
       - 'lsarpc'
       - 'winreg'

rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

@@ -2,11 +2,11 @@ title: Suspicious PsExec Execution - Zeek
 id: f1b3a22a-45e6-4004-afb5-4291f9c21166
 status: test
 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
-author: 'Samir Bousseaden, @neu5ron'
+author: Samir Bousseaden, @neu5ron, Tim Shelton
 references:
   - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml
 date: 2020/04/02
-modified: 2021/11/27
+modified: 2022/10/10
 logsource:
   product: zeek
   service: smb_files
@@ -20,10 +20,7 @@ detection:
       - '-stdout'
       - '-stderr'
   selection2:
-    name|contains|all:
-      - '\\'
-      - '\IPC$'
-    path|startswith: 'PSEXESVC'
+    name|startswith: 'PSEXESVC' #
   condition: selection1 and not selection2
 falsepositives:
   - Unknown