security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,175 Commits 1 Branch 57 Tags
3da07164ce0d651bf72691bac1cfcafbf20249de
Commit Graph

207 Commits

Author SHA1 Message Date
Nasreddine Bencherchali a25027fef8 fix: rename links from old repo to SigmaHQ 2022-12-27 21:05:16 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali 03cc78e916 feat: filename test enhancements (#3812) 2022-12-23 09:25:16 +01:00
Nasreddine Bencherchali 1d7ee1cd19 feat: enhance duplicate test (#3736) 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-11-29 13:47:09 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
frack113 ad3a3e3b71 Order yaml field 4 (#3628) 2022-10-25 09:30:05 +02:00
Tim Shelton ebad3c9d7d FP: fixes some logic errors where conditions could not be met 2022-10-12 16:51:58 +00:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth 61ad8ddb62 docs: reworked id, author, links 2022-06-07 17:09:06 +02:00
Florian Roth 5ab51d0b9a Merge branch 'master' into rule-devel 2022-06-07 10:40:33 +02:00
Florian Roth 3086226bf8 extended list of domains 2022-06-07 10:36:43 +02:00
Florian Roth de4cde1b97 rule: external service interaction domains 2022-06-07 10:30:38 +02:00
Florian Roth 04f1480814 refactor: network "other" to "dns" and "firewall" 2022-06-07 10:30:21 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 ca19c41192 Merge pull request #3001 from redsand/fp_zeek_add_ip6_non_routable 
FP - adding ip6 non routable filter for zeek
 2022-05-11 16:48:23 +02:00
Tim Shelton 3f3f986259 unifying detection 2022-05-11 14:30:14 +00:00
Tim Shelton 20e09530cf removing leading carrot. moved to startswith usage 2022-05-11 14:07:47 +00:00
Tim Shelton af32096ead moving to startswith 2022-05-10 22:19:51 +00:00
Tim Shelton b68e491055 updating ipv4 private ranges 2022-05-10 22:18:58 +00:00
Tim Shelton fdc1a1711a adding ip6 non routable filter 2022-05-10 03:07:14 +00:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
mportatoes b912a87a9c Update zeek_dns_nkn.yml 2022-04-22 07:26:25 -05:00
mportatoes 8d70818e05 Create zeek_dns_nkn.yml 2022-04-21 15:04:19 -05:00
Florian Roth c331195637 fix: empty query in rule > bug 2022-03-24 15:17:29 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Nate Guagenti 7dc0facf05 Update zeek_dns_suspicious_zbit_flag.yml 2022-02-24 20:03:56 -05:00
Nate Guagenti 878df636e2 Update zeek_dns_suspicious_zbit_flag.yml 
add MX, common mail server query type to exclusion list.
 2022-02-24 14:57:24 -05:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 820cc0ccf8 Merge branch 'master' into rule-devel 2021-11-29 11:00:25 +01:00
Florian Roth ef7810fa8b fix: fixing issues with wildcard symbol 
https://github.com/SigmaHQ/sigma/issues/2339
 2021-11-29 10:57:01 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 83dee26262 Update net_pua_cryptocoin_mining_xmr.yml 2021-11-20 19:20:07 +01:00
V1D1AN d4976b015c add tag mitre attack.t1496 and attack.t1567 2021-11-20 16:34:41 +01:00
V1D1AN c190668166 add tag mitre t1041 for equation group c2 2021-11-20 16:23:27 +01:00