blue-team-tools

Author	SHA1	Message	Date
Florian Roth	c331195637	fix: empty query in rule > bug	2022-03-24 15:17:29 +01:00
phantinuss	043747822f	fix: more falsepositives harmonization	2022-03-16 14:57:06 +01:00
phantinuss	84d0c472ba	fix: remove penetration test as valid false positive reason	2022-03-16 14:33:18 +01:00
phantinuss	8d3f8acb60	fix: none --> Unknown	2022-03-16 14:19:21 +01:00
phantinuss	4585133325	fix: remove penetration testing as a valid false positive	2022-03-16 13:51:26 +01:00
phantinuss	b23eee6ebf	fix: unknown --> Unknown	2022-03-16 13:43:54 +01:00
Nate Guagenti	7dc0facf05	Update zeek_dns_suspicious_zbit_flag.yml	2022-02-24 20:03:56 -05:00
Nate Guagenti	878df636e2	Update zeek_dns_suspicious_zbit_flag.yml add MX, common mail server query type to exclusion list.	2022-02-24 14:57:24 -05:00
$frack113$ frack113	4631d0c482	remove invalid tag	2022-01-19 18:23:30 +01:00
$frack113$ frack113	f7e670d55e	Simple Quote	2022-01-11 13:40:53 +01:00
Florian Roth	e055ec1d52	refactor: change all " of them" expressions	2022-01-11 10:59:57 +01:00
$frack113$ frack113	73f258e2d1	Change double quote to quote	2022-01-06 14:02:35 +01:00
Florian Roth	820cc0ccf8	Merge branch 'master' into rule-devel	2021-11-29 11:00:25 +01:00
Florian Roth	ef7810fa8b	fix: fixing issues with wildcard symbol https://github.com/SigmaHQ/sigma/issues/2339	2021-11-29 10:57:01 +01:00
$frack113$ frack113	01dc930c17	Change status for old rules	2021-11-27 11:33:14 +01:00
$frack113$ frack113	83dee26262	Update net_pua_cryptocoin_mining_xmr.yml	2021-11-20 19:20:07 +01:00
V1D1AN	d4976b015c	add tag mitre attack.t1496 and attack.t1567	2021-11-20 16:34:41 +01:00
V1D1AN	c190668166	add tag mitre t1041 for equation group c2	2021-11-20 16:23:27 +01:00
$frack113$ frack113	1cfca93354	Missing status in rules (#2284 ) * add missing status	2021-11-19 22:32:26 +01:00
$frack113$ frack113	5f87eba896	restore src_ip for coverage	2021-11-14 10:11:29 +01:00
$frack113$ frack113	9d0be2348d	Fix field name	2021-11-14 09:26:00 +01:00
$frack113$ frack113	5245360186	No filetype or bodyMagic in zeek http log field	2021-11-14 09:24:34 +01:00
Florian Roth	4e2e75cd2f	Merge branch 'master' into pr/2231	2021-11-11 18:09:23 +01:00
Florian Roth	c07a9adb9b	fix: moved rule written for DNS/Sysmon to the correct folder	2021-11-09 17:30:15 +01:00
Florian Roth	39283c0ac2	CobaltStrike DNS rules	2021-11-09 17:29:43 +01:00
Nate Guagenti	8291aba4d3	remove duplicate exclusion exclude_tlds was listed twice	2021-11-06 15:45:34 -04:00
$frack113$ frack113	193357cf17	Add cve tags	2021-10-25 18:51:40 +02:00
$frack113$ frack113	f8574fcd81	Add cve tags	2021-10-25 18:40:50 +02:00
Florian Roth	d051e1418b	docs: changed title	2021-10-24 15:47:14 +02:00
Florian Roth	7eeecf9c6a	fix: missing upper tick in every line	2021-10-24 15:46:31 +02:00
Florian Roth	86e9f782cb	rule: monero mining pools dns lookup	2021-10-24 15:44:44 +02:00
$frack113$ frack113	c59b0eb543	Merge pull request #2063 from frack113/last_global Split Last Global Rules	2021-09-23 13:54:57 +02:00
$frack113$ frack113	3c906b52a0	fix filename	2021-09-22 16:21:07 +02:00
$frack113$ frack113	e377e4e96f	split global net_high_dns_bytes_out.yml	2021-09-21 19:53:25 +02:00
$frack113$ frack113	6777ca7a82	split global net_high_dns_requests_rate.yml	2021-09-21 19:51:11 +02:00
$frack113$ frack113	00f3055035	split global net_susp_network_scan.yml	2021-09-21 19:47:28 +02:00
neu5ron	61c9c9fb20	Zeek detection for OMIGOD HTTP RCE Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>	2021-09-20 12:26:01 -04:00
$frack113$ frack113	92999468ee	Merge pull request #2012 from frack113/upgrade_test Upgrade test_rules.py	2021-09-11 15:29:19 +02:00
$frack113$ frack113	8d3a77d1f5	Update net_susp_ipify.yml	2021-09-11 08:31:24 +02:00
neonprimetime security (Justin C Miller)	033494c8f7	Propose making rule more generic than just ipify Propose making this detection more generic, cover more lookup services than just ipify https://twitter.com/neonprimetime/status/1436376497980428318	2021-09-10 12:14:43 -05:00
$frack113$ frack113	0288f5b626	fix condition operator case	2021-09-10 13:51:52 +02:00
Thomas Patzke	143744bc12	Various fixes * Backslashes in regular expressions * Casing of condition operators * Further small errors	2021-09-07 23:38:07 +02:00
$frack113$ frack113	086a15fc45	Update global ID	2021-09-02 20:07:03 +02:00
$frack113$ frack113	5ad29cf0c2	fix Base backend doesn't support multiple conditions (29)	2021-08-29 09:03:50 +02:00
$frack113$ frack113	5b869a3f42	Update cve tags	2021-08-24 10:50:01 +02:00
$frack113$ frack113	679651bdf9	Merge pull request #1913 from neu5ron/add_zeek_dce_rpc_printnightmare_print_driver_install Zeek DCE_RPC PrintNightmare	2021-08-24 08:37:02 +02:00
$frack113$ frack113	e76c11da7f	Merge pull request #1908 from neu5ron/patch-7 improve rule logic zeek_default_cobalt_strike_certificate.yml	2021-08-24 08:36:33 +02:00
$frack113$ frack113	293f422243	Merge pull request #1906 from neu5ron/patch-5 improve zeek_dce_rpc_smb_spoolss_named_pipe	2021-08-24 08:36:18 +02:00
$frack113$ frack113	81ec546e42	Merge pull request #1905 from neu5ron/patch-4 improve rule	2021-08-24 08:36:04 +02:00
$frack113$ frack113	15aa0cb70e	add modified	2021-08-24 08:02:24 +02:00

1 2 3 4

175 Commits