security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,863 Commits 1 Branch 57 Tags
871f41df73e68fc6b16403b3f8a53bbc8b2cd8eb
Commit Graph

215 Commits

Author SHA1 Message Date
securepeacock a60094531b Update net_dns_wannacry_killswitch_domain.yml 2023-06-26 13:31:05 -04:00
frack113 1767446bb7 Fix logsource 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-05-26 13:51:07 +02:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag 2023-02-01 11:14:59 +01:00
Nick Moore 0312c481d9 Change rules using all of required-lists to |all 
When a Sigma rule writer wants to create a list of values where all of
them must be matched for the rule to trigger, the approach used
previously was to have an `all of` condition for a single selector.
However, this has now changed, and the new approach is to use an empty
key and the |all modifier (i.e., `'|all'`).

This commit (tries to) identify all the rules that used the old
approach and modifies them to use the new approach instead.

See SigmaHQ/sigma-specification#53 for further discussion.
 2023-01-23 14:37:25 +00:00
TheLawsOfChaos 52e40d10ef feat: updates multiple mitre tech/sub-tech/tactics (#3913) 2023-01-12 17:04:38 +01:00
Tim Brown 4b52acd2fe feat: add rules for BGP and LDP authentication failures 2023-01-12 01:59:16 +01:00
frack113 756a248032 update logsource 2023-01-04 18:52:24 +01:00
Nasreddine Bencherchali a25027fef8 fix: rename links from old repo to SigmaHQ 2022-12-27 21:05:16 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali 03cc78e916 feat: filename test enhancements (#3812) 2022-12-23 09:25:16 +01:00
Nasreddine Bencherchali 1d7ee1cd19 feat: enhance duplicate test (#3736) 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2022-11-29 13:47:09 +01:00
frack113 c820216541 Update Title (#3733) 2022-11-28 06:43:17 +01:00
frack113 ad3a3e3b71 Order yaml field 4 (#3628) 2022-10-25 09:30:05 +02:00
Tim Shelton ebad3c9d7d FP: fixes some logic errors where conditions could not be met 2022-10-12 16:51:58 +00:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 2c26614ce4 Update Wildcard + Int to Str fields 2022-10-05 23:15:20 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Florian Roth 664ec8b43e refactor: remove rules for false alarm 
https://twitter.com/cyb3rops/status/1555242921850544131
 2022-08-04 20:05:16 +02:00
Florian Roth 72dbfffc0f rule: myjino github repo compromise 2022-08-03 08:34:28 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali 238e0ecd7d Update Ref+Selection 2022-07-11 14:11:53 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth 61ad8ddb62 docs: reworked id, author, links 2022-06-07 17:09:06 +02:00
Florian Roth 5ab51d0b9a Merge branch 'master' into rule-devel 2022-06-07 10:40:33 +02:00
Florian Roth 3086226bf8 extended list of domains 2022-06-07 10:36:43 +02:00
Florian Roth de4cde1b97 rule: external service interaction domains 2022-06-07 10:30:38 +02:00
Florian Roth 04f1480814 refactor: network "other" to "dns" and "firewall" 2022-06-07 10:30:21 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
frack113 ca19c41192 Merge pull request #3001 from redsand/fp_zeek_add_ip6_non_routable 
FP - adding ip6 non routable filter for zeek
 2022-05-11 16:48:23 +02:00
Tim Shelton 3f3f986259 unifying detection 2022-05-11 14:30:14 +00:00
Tim Shelton 20e09530cf removing leading carrot. moved to startswith usage 2022-05-11 14:07:47 +00:00
Tim Shelton af32096ead moving to startswith 2022-05-10 22:19:51 +00:00
Tim Shelton b68e491055 updating ipv4 private ranges 2022-05-10 22:18:58 +00:00
Tim Shelton fdc1a1711a adding ip6 non routable filter 2022-05-10 03:07:14 +00:00
phantinuss b991a5be52 chore: test rules: warn on errors or invalid FP reasons 
also adapted the existing rules to pass the tests
 2022-05-09 16:07:55 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
mportatoes b912a87a9c Update zeek_dns_nkn.yml 2022-04-22 07:26:25 -05:00
mportatoes 8d70818e05 Create zeek_dns_nkn.yml 2022-04-21 15:04:19 -05:00
Florian Roth c331195637 fix: empty query in rule > bug 2022-03-24 15:17:29 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 84d0c472ba fix: remove penetration test as valid false positive reason 2022-03-16 14:33:18 +01:00
phantinuss 8d3f8acb60 fix: none --> Unknown 2022-03-16 14:19:21 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Nate Guagenti 7dc0facf05 Update zeek_dns_suspicious_zbit_flag.yml 2022-02-24 20:03:56 -05:00
Nate Guagenti 878df636e2 Update zeek_dns_suspicious_zbit_flag.yml 
add MX, common mail server query type to exclusion list.
 2022-02-24 14:57:24 -05:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 f7e670d55e Simple Quote 2022-01-11 13:40:53 +01:00