security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
12,584 Commits 1 Branch 57 Tags
80098113d06750ddb9ab275d7df1049f88d4ea7c
Commit Graph

106 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 ca19c41192 Merge pull request #3001 from redsand/fp_zeek_add_ip6_non_routable 
FP - adding ip6 non routable filter for zeek
 2022-05-11 16:48:23 +02:00
Tim Shelton 3f3f986259 unifying detection 2022-05-11 14:30:14 +00:00
Tim Shelton 20e09530cf removing leading carrot. moved to startswith usage 2022-05-11 14:07:47 +00:00
Tim Shelton af32096ead moving to startswith 2022-05-10 22:19:51 +00:00
Tim Shelton b68e491055 updating ipv4 private ranges 2022-05-10 22:18:58 +00:00
Tim Shelton fdc1a1711a adding ip6 non routable filter 2022-05-10 03:07:14 +00:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
mportatoes b912a87a9c Update zeek_dns_nkn.yml 2022-04-22 07:26:25 -05:00
mportatoes 8d70818e05 Create zeek_dns_nkn.yml 2022-04-21 15:04:19 -05:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Nate Guagenti 7dc0facf05 Update zeek_dns_suspicious_zbit_flag.yml 2022-02-24 20:03:56 -05:00
Nate Guagenti 878df636e2 Update zeek_dns_suspicious_zbit_flag.yml 
add MX, common mail server query type to exclusion list.
 2022-02-24 14:57:24 -05:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00
Florian Roth e055ec1d52 refactor: change all " of them" expressions 2022-01-11 10:59:57 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
Florian Roth 820cc0ccf8 Merge branch 'master' into rule-devel 2021-11-29 11:00:25 +01:00
Florian Roth ef7810fa8b fix: fixing issues with wildcard symbol 
https://github.com/SigmaHQ/sigma/issues/2339
 2021-11-29 10:57:01 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
 2021-11-19 22:32:26 +01:00
frack113 5f87eba896 restore src_ip for coverage 2021-11-14 10:11:29 +01:00
frack113 9d0be2348d Fix field name 2021-11-14 09:26:00 +01:00
frack113 5245360186 No filetype or bodyMagic in zeek http log field 2021-11-14 09:24:34 +01:00
Nate Guagenti 8291aba4d3 remove duplicate exclusion 
exclude_tlds was listed twice
 2021-11-06 15:45:34 -04:00
frack113 193357cf17 Add cve tags 2021-10-25 18:51:40 +02:00
frack113 f8574fcd81 Add cve tags 2021-10-25 18:40:50 +02:00
frack113 3c906b52a0 fix filename 2021-09-22 16:21:07 +02:00
neu5ron 61c9c9fb20 Zeek detection for OMIGOD HTTP RCE 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-09-20 12:26:01 -04:00
frack113 0288f5b626 fix condition operator case 2021-09-10 13:51:52 +02:00
Thomas Patzke 143744bc12 Various fixes 
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
 2021-09-07 23:38:07 +02:00
frack113 5b869a3f42 Update cve tags 2021-08-24 10:50:01 +02:00
frack113 679651bdf9 Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install 
Zeek DCE_RPC PrintNightmare
 2021-08-24 08:37:02 +02:00
frack113 e76c11da7f Merge pull request #1908 from neu5ron/patch-7 
improve rule logic zeek_default_cobalt_strike_certificate.yml
 2021-08-24 08:36:33 +02:00
frack113 293f422243 Merge pull request #1906 from neu5ron/patch-5 
improve zeek_dce_rpc_smb_spoolss_named_pipe
 2021-08-24 08:36:18 +02:00
frack113 81ec546e42 Merge pull request #1905 from neu5ron/patch-4 
improve rule
 2021-08-24 08:36:04 +02:00
frack113 15aa0cb70e add modified 2021-08-24 08:02:24 +02:00
frack113 4ee4f12f30 add modified 2021-08-24 08:01:01 +02:00
frack113 8ab90d8012 add modified 2021-08-24 07:59:36 +02:00
frack113 be43ecd70d Remove empty element in list 
Otherwise get a `null` when convert to some backend (es-rule,...)
 2021-08-24 07:57:16 +02:00
neu5ron 9e588fdcf6 Zeek dce_rpc.log Detection of print driver installs over RPC (ie: possible PrintNightmare) using the three existing known RPC functions, as well as few others "discussed" but not directly related to PrintNightmare PoC or public post-compromise write-ups. 2021-08-24 00:58:36 -04:00
Nate Guagenti b255586117 condition fix and add fields 
should be `operation` not `endpoint` for the detection logic.
added various fields useful for investigation
 2021-08-23 14:59:06 -04:00