diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml index 0c814d105..1753d6235 100644 --- a/rules/web/web_citrix_cve_2019_19781_exploit.yml +++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml @@ -13,7 +13,7 @@ date: 2020/01/02 modified: 2020/03/14 logsource: category: webserver - description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' + definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' detection: selection: c-uri: diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index 75dfa1b0c..ade52cdea 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection: EventID: 5145 diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index 9ce1e7e78..b1fc66523 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -14,8 +14,8 @@ tags: logsource: product: windows service: security - definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' - definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, + DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' detection: selection1: EventID: 4738 diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index bb4ce41a7..b7ad1afd7 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection: EventID: 5145 diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml index d2707b31b..d364688a3 100644 --- a/rules/windows/builtin/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -9,7 +9,7 @@ tags: logsource: product: windows service: system - description: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' + definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' detection: selection: EventID: 5156 diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index ca4effe5b..4b6f4dc23 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection: EventID: 5145 diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 8bbbbc1a2..33612fe94 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection1: EventID: 5145 diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index 62216f2e9..6c8ff078e 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection1: EventID: 5145 diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index eaffe17d1..013f834e9 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -11,7 +11,7 @@ tags: logsource: product: windows service: security - description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: selection: EventID: 5145 diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index ebd3a1c0c..89c927b08 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - description: 'Script block logging must be enabled' + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index fabff88ac..15c7fc9ec 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -15,7 +15,7 @@ date: 2018/11/17 logsource: product: windows service: powershell - description: 'Script block logging must be enabled' + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index bc5c334e0..7736fe84c 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - description: 'Script block logging must be enabled' + definition: 'Script block logging must be enabled' detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index c8a64f20c..2bb8f63d1 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -12,7 +12,7 @@ date: 2020/03/26 logsource: product: windows service: powershell - description: "Script block logging must be enabled" + definition: "Script block logging must be enabled" detection: selection: ScriptBlockText|contains: diff --git a/tests/test_rules.py b/tests/test_rules.py index ecfb2f348..80f7b9517 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -323,6 +323,13 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'title' fields. Please check: https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide#title") + def test_invalid_logsource_attributes(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + logsource = self.get_rule_part(file_path=file, part_name="logsource") + for key in logsource: + if key.lower() not in ['category', 'product', 'service', 'definition']: + print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) def get_mitre_data(): """ Generate tags from live MITRE ATT&CK TAXI service to get up-to-date data