security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
dde448ee6b2c4a2b256c09168ea6360f59ca2cc8
sigma-rules/detection_rules/etc/test_toml.json
T
Eric Forte dde448ee6b [Bug] Rule Toml Write Formatting Wrongly Formats \\\\x (#4978) 
* Fix rule and mitigate py toml

* Bump patch version

* Add reference to issue

* Add unit test for path issues

* Update comment

* Certain strings were not properly escaped

* Updated to use json instead of repr

* replace _old_dump_str with json.dumps

* Bump Version
2025-08-18 17:03:51 -04:00

175 lines
5.0 KiB
JSON
Raw Blame History

[
{
"metadata": {
"creation_date": "2020/02/26",
"ecs_version": [
"1.4.0"
],
"maturity": "development",
"updated_date": "2020/02/26"
},
"rule": {
"description": "This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by\nsystem administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it\nshould be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial\naccess or back-door vector.\n",
"false_positives": [
" SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but\n such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may\n be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as\n remote access and support for specialized software products and servers. Such work-flows are usually known and not\n unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\n "
],
"index": [
"filebeat-*"
],
"language": "kuery",
"max_signals": 100,
"name": "SSH (Secure Shell) to the Internet",
"risk_score": 21,
"rule_id": "6f1500bc-62d7-4eb9-8601-7485e87da2f4",
"severity": "low",
"tags": [
"Elastic",
"Network"
],
"type": "query",
"version": 2,
"query": "network.transport: tcp and destination.port:22 and (\n network.direction: outbound or (\n source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\n not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n )\n)\n",
"threat": [
{
"framework": "MITRE ATT&CK",
"technique": [
{
"id": "T1043",
"name": "Commonly Used Port",
"reference": "https://attack.mitre.org/techniques/T1043/"
}
],
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
}
}
]
}
},
{
"metadata": {
"field": "value"
},
"rule": {
"path": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"
}
},
{
"metadata": {
"field": "value"
},
"rule": {
"field2": "value2"
}
},
{
"metadata": {
"just": "some",
"flat": "fields",
"for": "testing",
"and": [
[
"fields",
"nested"
],
[
"!",
"too"
]
]
},
"rule": {
"first": "1st",
"second": "2nd",
"third": "3rd",
"fourth": 4,
"fifth": [
1,
2,
3
],
"list": [
{
"one": [
2,
3
]
},
{
"two": {
"three": 4
}
}
],
"more_data": {
"one": {
"two": {
"three": {
"four": {
"five": [
[
1,
22,
333
],
[[4], [5], [6]],
[["a"], ["b"], ["c"], [12, 13, 14]]
]
}
}
}
}
}
}
},
{
"metadata": {
"just": "some",
"flat": "fields",
"for": "testing"
},
"transform": {
"osquery": [
{
"label": "some label",
"query": "some query"
},
{
"label": "some label",
"query": "some query"
},
{
"label": "some label",
"query": "some query"
}
],
"investigate": [
{
"label": "some label",
"relativeFrom": "now-48h/h",
"relativeTo": "now",
"providers": [
[
{"field": "event.kind", "excluded": false, "queryType": "phrase", "value": "signal", "valueType": "string"},
{"field": "user.id", "excluded": false, "queryType": "phrase", "value": "{{user.id}}", "valueType": "string"}
]
]
},
{
"label": "some label",
"relativeFrom": "now-48h/h",
"relativeTo": "now",
"providers": [
[
{"field": "event.kind", "excluded": false, "queryType": "phrase", "value": "signal", "valueType": "string"},
{"field": "host.name", "excluded": false, "queryType": "phrase", "value": "{{host.name}}", "valueType": "string"}
]
]
}
]
}
}
]
Reference in New Issue View Git Blame Copy Permalink