 Florian Roth
|
61ad8ddb62
|
docs: reworked id, author, links
|
2022-06-07 17:09:06 +02:00 |
|
|
Florian Roth
|
5ab51d0b9a
|
Merge branch 'master' into rule-devel
|
2022-06-07 10:40:33 +02:00 |
|
|
Florian Roth
|
3086226bf8
|
extended list of domains
|
2022-06-07 10:36:43 +02:00 |
|
|
Florian Roth
|
de4cde1b97
|
rule: external service interaction domains
|
2022-06-07 10:30:38 +02:00 |
|
|
Florian Roth
|
04f1480814
|
refactor: network "other" to "dns" and "firewall"
|
2022-06-07 10:30:21 +02:00 |
|
|
frack113
|
8de0027ca3
|
refactor condition
|
2022-06-03 15:35:24 +02:00 |
|
|
David ANDRE
|
74b9f97b9c
|
Renamed suspicious in filenames to susp
|
2022-05-19 09:37:04 +02:00 |
|
|
frack113
|
ca19c41192
|
Merge pull request #3001 from redsand/fp_zeek_add_ip6_non_routable
FP - adding ip6 non routable filter for zeek
|
2022-05-11 16:48:23 +02:00 |
|
|
Tim Shelton
|
3f3f986259
|
unifying detection
|
2022-05-11 14:30:14 +00:00 |
|
|
Tim Shelton
|
20e09530cf
|
removing leading carrot. moved to startswith usage
|
2022-05-11 14:07:47 +00:00 |
|
|
Tim Shelton
|
af32096ead
|
moving to startswith
|
2022-05-10 22:19:51 +00:00 |
|
|
Tim Shelton
|
b68e491055
|
updating ipv4 private ranges
|
2022-05-10 22:18:58 +00:00 |
|
|
Tim Shelton
|
fdc1a1711a
|
adding ip6 non routable filter
|
2022-05-10 03:07:14 +00:00 |
|
|
phantinuss
|
b991a5be52
|
chore: test rules: warn on errors or invalid FP reasons
also adapted the existing rules to pass the tests
|
2022-05-09 16:07:55 +02:00 |
|
|
phantinuss
|
dbd68bf3f0
|
chore: test rules: capitalization on FP list entries
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
|
2022-05-09 16:07:44 +02:00 |
|
|
mportatoes
|
b912a87a9c
|
Update zeek_dns_nkn.yml
|
2022-04-22 07:26:25 -05:00 |
|
|
mportatoes
|
8d70818e05
|
Create zeek_dns_nkn.yml
|
2022-04-21 15:04:19 -05:00 |
|
|
Florian Roth
|
c331195637
|
fix: empty query in rule > bug
|
2022-03-24 15:17:29 +01:00 |
|
|
phantinuss
|
043747822f
|
fix: more falsepositives harmonization
|
2022-03-16 14:57:06 +01:00 |
|
|
phantinuss
|
84d0c472ba
|
fix: remove penetration test as valid false positive reason
|
2022-03-16 14:33:18 +01:00 |
|
|
phantinuss
|
8d3f8acb60
|
fix: none --> Unknown
|
2022-03-16 14:19:21 +01:00 |
|
|
phantinuss
|
4585133325
|
fix: remove penetration testing as a valid false positive
|
2022-03-16 13:51:26 +01:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
Nate Guagenti
|
7dc0facf05
|
Update zeek_dns_suspicious_zbit_flag.yml
|
2022-02-24 20:03:56 -05:00 |
|
|
Nate Guagenti
|
878df636e2
|
Update zeek_dns_suspicious_zbit_flag.yml
add MX, common mail server query type to exclusion list.
|
2022-02-24 14:57:24 -05:00 |
|
|
frack113
|
4631d0c482
|
remove invalid tag
|
2022-01-19 18:23:30 +01:00 |
|
|
frack113
|
f7e670d55e
|
Simple Quote
|
2022-01-11 13:40:53 +01:00 |
|
|
Florian Roth
|
e055ec1d52
|
refactor: change all " of them" expressions
|
2022-01-11 10:59:57 +01:00 |
|
|
frack113
|
73f258e2d1
|
Change double quote to quote
|
2022-01-06 14:02:35 +01:00 |
|
|
Florian Roth
|
820cc0ccf8
|
Merge branch 'master' into rule-devel
|
2021-11-29 11:00:25 +01:00 |
|
|
Florian Roth
|
ef7810fa8b
|
fix: fixing issues with wildcard symbol
https://github.com/SigmaHQ/sigma/issues/2339
|
2021-11-29 10:57:01 +01:00 |
|
|
frack113
|
01dc930c17
|
Change status for old rules
|
2021-11-27 11:33:14 +01:00 |
|
|
frack113
|
83dee26262
|
Update net_pua_cryptocoin_mining_xmr.yml
|
2021-11-20 19:20:07 +01:00 |
|
|
V1D1AN
|
d4976b015c
|
add tag mitre attack.t1496 and attack.t1567
|
2021-11-20 16:34:41 +01:00 |
|
|
V1D1AN
|
c190668166
|
add tag mitre t1041 for equation group c2
|
2021-11-20 16:23:27 +01:00 |
|
|
frack113
|
1cfca93354
|
Missing status in rules (#2284)
* add missing status
|
2021-11-19 22:32:26 +01:00 |
|
|
frack113
|
5f87eba896
|
restore src_ip for coverage
|
2021-11-14 10:11:29 +01:00 |
|
|
frack113
|
9d0be2348d
|
Fix field name
|
2021-11-14 09:26:00 +01:00 |
|
|
frack113
|
5245360186
|
No filetype or bodyMagic in zeek http log field
|
2021-11-14 09:24:34 +01:00 |
|
|
Florian Roth
|
4e2e75cd2f
|
Merge branch 'master' into pr/2231
|
2021-11-11 18:09:23 +01:00 |
|
|
Florian Roth
|
c07a9adb9b
|
fix: moved rule written for DNS/Sysmon to the correct folder
|
2021-11-09 17:30:15 +01:00 |
|
|
Florian Roth
|
39283c0ac2
|
CobaltStrike DNS rules
|
2021-11-09 17:29:43 +01:00 |
|
|
Nate Guagenti
|
8291aba4d3
|
remove duplicate exclusion
exclude_tlds was listed twice
|
2021-11-06 15:45:34 -04:00 |
|
|
frack113
|
193357cf17
|
Add cve tags
|
2021-10-25 18:51:40 +02:00 |
|
|
frack113
|
f8574fcd81
|
Add cve tags
|
2021-10-25 18:40:50 +02:00 |
|
|
Florian Roth
|
d051e1418b
|
docs: changed title
|
2021-10-24 15:47:14 +02:00 |
|
|
Florian Roth
|
7eeecf9c6a
|
fix: missing upper tick in every line
|
2021-10-24 15:46:31 +02:00 |
|
|
Florian Roth
|
86e9f782cb
|
rule: monero mining pools dns lookup
|
2021-10-24 15:44:44 +02:00 |
|
|
frack113
|
c59b0eb543
|
Merge pull request #2063 from frack113/last_global
Split Last Global Rules
|
2021-09-23 13:54:57 +02:00 |
|
|
frack113
|
3c906b52a0
|
fix filename
|
2021-09-22 16:21:07 +02:00 |
|