first commit

2026-02-11 12:05:22 +01:00 · 2026-02-11 12:05:22 +01:00 · 45509c286f
commit 45509c286f
10 changed files with 1232 additions and 0 deletions
--- a/3cx_Rules.xml
+++ b/3cx_Rules.xml
@ -0,0 +1,110 @@
 <!-- Toute erreur CallFlow -->
 <group name="3cx,">
 <rule id="100200" level="8">
  <decoded_as>3cx-parent-datetime</decoded_as>
  <field name="level">Erro</field>
  <description>3CX CallFlow error</description>
  <group>3cx,callflow,error,</group>
 </rule>
 </group>
 <!-- “Route failed” explicite -->
 <group name="3cx,">
 <rule id="100201" level="10">
  <decoded_as>3cx-parent-datetime</decoded_as>
  <match>Route failed</match>
  <description>3CX routing failure - Appel sortant impossible</description>
  <group>3cx,callflow,routing,</group>
 </rule>
 </group>
 <!-- Regroupement : >=5 échecs en 60s = route failed -->
 <group name="3cx,">
 <rule id="100205" level="12" frequency="5" timeframe="60">
  <if_matched_sid>100201</if_matched_sid>
  <description>3CX Route failed  — communication externe impossible</description>
  <group>3cx,callflow,outage,provider,</group>
 </rule>
 </group>
 <!-- ParentConnectionTerminated (fort signal opérateur/trunk) -->
 <group name="3cx,">
 <rule id="100202" level="10">
  <decoded_as>3cx-parent-datetime</decoded_as>
  <field name="result">ParentConnectionTerminated</field>
  <description>3CX: parent connection terminated (likely trunk/provider issue)</description>
  <group>3cx,callflow,trunk,provider,outage,</group>
 </rule>
 </group>
 <!-- Regroupement : >=5 échecs en 60s = panne possible -->
 <group name="3cx,">
 <rule id="100203" level="12" frequency="5" timeframe="60">
  <if_matched_sid>100202</if_matched_sid>
  <description>3CX widespread routing failures  — probable provider outage</description>
  <group>3cx,callflow,outage,provider,</group>
 </rule>
 </group>
 <!-- 100207 : FCM unauthorized (unitaire) -->
 <group name="3cx,">
  <rule id="100207" level="7">
    <decoded_as>3cx-parent-datetime</decoded_as>
    <match>Got Unauthorized from FCM</match>
    <description>3CX Push: FCM unauthorized (apps mobile non fonctionnel)</description>
    <group>3cx,push,notification,fcm,</group>
  </rule>
 </group>
 <!-- 100208 : FCM unauthorized répété = incident -->
 <group name="3cx,">
  <rule id="100208" level="10" frequency="3" timeframe="900">
    <if_matched_sid>100207</if_matched_sid>
    <description>3CX Push: multiples FCM unauthorized (probable panne notifications mobiles)</description>
    <group>3cx,push,notification,fcm,outage,</group>
  </rule>
 </group>
 <!-- 100209 : (CRM) Erreur HTTP client (unitaire) -->
 <group name="3cx,">
  <rule id="100209" level="8">
    <if_sid>100200</if_sid>
    <match>_3CX.HttpClient</match>
    <field name="message">failed</field>
    <description>3CX Integration: requête HTTP échouée (CRM)</description>
    <group>3cx,integration,http,</group>
  </rule>
 </group>
 <!-- 100210 : Rafale d'échecs HTTP = panne d’intégration -->
 <group name="3cx,">
  <rule id="100210" level="9" frequency="5" timeframe="600">
    <if_matched_sid>100209</if_matched_sid>
    <description>3CX Integration: multiples requêtes HTTP échouées (panne probable du service tiers)</description>
    <group>3cx,integration,http,outage,</group>
  </rule>
 </group>
 <!-- 100211 : DBProvPostgress erreur (unitaire) -->
 <group name="3cx,">
  <rule id="100211" level="9">
    <if_sid>100200</if_sid>
    <match>DBProvPostgress</match>
    <regex type="pcre2">(BatchUpdate|INSERT FAILED)</regex>
    <description>3CX DB: erreur critique PostgreSQL (BatchUpdate/INSERT)</description>
    <group>3cx,db,postgres,error,</group>
  </rule>
 </group>
 <!-- 100212 : DB erreurs répétées = incident majeur -->
 <group name="3cx,">
  <rule id="100212" level="12" frequency="3" timeframe="300">
    <if_matched_sid>100211</if_matched_sid>
    <description>3CX DB: erreurs PostgreSQL répétées (instabilité probable)</description>
    <group>3cx,db,postgres,outage,</group>
  </rule>
 </group>
--- a/Brut-force-VPN.xml
+++ b/Brut-force-VPN.xml
@ -0,0 +1,12 @@
 <!-- Modify it at your will. -->
 <group name="authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
    <rule id="81615" level="15" frequency="10" timeframe="45" ignore="240" overwrite="yes">
        <if_matched_sid>81614</if_matched_sid>
        <same_field>data.remip</same_field>
        <description>Fortigate: Multiple firewall SSL VPN failed login events from same source.</description>
        <mitre>
            <id>T1110</id>
            <id>T1133</id>
        </mitre>
    </rule>
 </group> 
--- a/Brut-force-linux.xml
+++ b/Brut-force-linux.xml
@ -0,0 +1,23 @@
 <!-- Brut force SSH-tty PAM -->
 <group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
  <rule id="100153" level="15" frequency="8" timeframe="180">
    <if_matched_sid>5503</if_matched_sid>
    <same_field>srcip</same_field>
    <description>Brut force Linux</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
 </group>
 <group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
  <rule id="100154" level="15" frequency="8" timeframe="180">
    <if_matched_sid>5503</if_matched_sid>
    <same_field>tty</same_field>
    <description>Brut force Linux</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
 </group>
--- a/Connexion-admin.xml
+++ b/Connexion-admin.xml
@ -0,0 +1,94 @@
 <!-- Alerte si connexion Administrateur -->
 <!-- Alerte si connexion Administrateur (local)-->
 <group name="Co-Windows">
  <rule id="100002" level="3">
    <if_sid>60106</if_sid>
    <field name="data.win.eventdata.targetUserName">administrateur</field>
    <description>Windows Logon Sucess Admin</description>
    <options>no_full_log</options>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
  </rule>
 </group>
 <!-- Règle de base wazuh - Overwrite -->
 <!-- Co RDP -->
 <group name="windows,rdp,authentication_success,">  
  <rule id="92653" level="2" overwrite="yes">
    <if_sid>92651</if_sid>
    <field name="win.eventdata.logonType" type="pcre2">10</field>
    <description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
    <mitre>
      <id>T1021.001</id>
      <id>T1078.002</id>
    </mitre>
  </rule>
 </group>
 <!-- Co avec privilège admin -->
 <group name="windows,auth,privileged,">  
  <rule id="67028" level="3" overwrite="yes">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4672$</field>
    <field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
    <description>Special privileges assigned to new logon.</description>
    <mitre>
      <id>T1484</id>
    </mitre>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Co utilisateur -->
 <group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
  <rule id="60106" level="1" overwrite="yes">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
    <description>Windows Logon Success</description>
    <options>no_full_log</options>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
 </group>
 <!-- Déco utilisateur -->
 <group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">  
  <rule id="60137" level="1" overwrite="yes">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
    <description>Windows User Logoff</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Règle alerte RDP 
 <group name="windows,rdp,authentication_success,">
  <rule id="100003" level="10">
    <field name="win.system.eventID">1149</field>
    <description>Connexion RDP réussie détectée (1149)</description>
    <group>rdp,windows,authentication_success,</group>
  </rule>
 </group>
 -->
 <!-- Règle alerte RDP - co entre 0:00 et 5:00-->  
 <group name="windows,auth,privileged,quiet_hours,">
  <rule id="100300" level="12">
    <if_sid>67028</if_sid>
    <time>00:00-05:00</time>
    <description>Privileged logon during quiet hours (00:00–05:00 local)</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Alerte si déconnexion Administrateur -->
 <group name="Co-Windows">
  <rule id="100005" level="3">
    <if_sid>60137</if_sid>
    <field name="data.win.eventdata.targetUserName">administrateur</field>
    <description>Windows Logoff Admin</description>
    <options>no_full_log</options>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
  </rule>
 </group>
--- a/Logon-failure-win.xml
+++ b/Logon-failure-win.xml
@ -0,0 +1,27 @@
 <!-- Overwrite règles de base wazuh logon failure - Add event 4771 -->
 <group name="authentication_failed,windows,windows_security,">  
  <rule id="60105" level="5" overwrite="yes">
    <if_sid>60104</if_sid>
    <field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$|^4771$</field>
    <description>Windows Logon Failure</description>
    <options>no_full_log</options>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
 </group>
 <group name="authentication_failed,windows,windows_security,">
  <rule id="60122" level="5" overwrite="yes">
    <if_sid>60105</if_sid>
    <field name="win.system.eventID">^529$|^4625$|^4771$</field>
    <description>Logon Failure - Unknown user or bad password</description>
    <options>no_full_log</options>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <mitre>
      <id>T1531</id>
    </mitre>
  </rule>
 </group>
--- a/README.md
+++ b/README.md
@ -0,0 +1,57 @@
 # Wazuh - Custom Rules (local_rules)
 Repo de gestion de version pour les **custom rules Wazuh** (et optionnellement decoders / lists).
 Objectif : versionner, documenter, tester, et déployer proprement sur un ou plusieurs Wazuh Manager.
 ---
 ## Contenu
 - `rules/` : règles locales (`local_rules.xml` ou fichiers découpés par thèmes)
 - `decoders/` : decoders locaux (si utilisés)
 - `lists/` : CDB lists (si utilisées)
 - `tests/` : exemples d'événements/logs de test
 - `scripts/` : scripts de validation / déploiement (optionnel)
 ---
 ## Prérequis
 - Accès au Wazuh Manager
 - Droits root / wazuh selon votre infra
 - Connaissance de base Wazuh ruleset (`<group>`, `<rule>`, `<if_sid>`, etc.)
 Chemins classiques sur le manager :
 - Rules locales : `/var/ossec/etc/rules/local_rules.xml`
 - Decoders locaux : `/var/ossec/etc/decoders/local_decoder.xml`
 - Lists : `/var/ossec/etc/lists/`
 ---
 ## Bonnes pratiques
 ### 1) Règles : petites et lisibles
 - 1 règle = 1 objectif
 - Commenter les règles non triviales
 - Garder une logique de nommage
 Exemple de convention :
 - IDs : réserver une plage (ex: `100000` - `109999`) pour votre org
 - Groupes : `local,windows,authentication` / `local,linux,hardening` etc.
 ### 2) Ne pas casser le pipeline
 - Toujours valider la syntaxe XML
 - Tester avec des logs réels/samples avant mise en prod
 - Éviter les conditions trop larges (sinon alert storm)
 ### 3) Versionner ce qui est "source"
 - Versionner : règles, decoders, lists, samples de test
 - Ne pas versionner : secrets, exports complets, archives, fichiers temporaires
 ---
 ## Déploiement (manuel)
 ### 1) Sauvegarde (recommandé)
 ```bash
 sudo cp /var/ossec/etc/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml.bak.$(date +%F_%H%M)
--- a/Suricata.xml
+++ b/Suricata.xml
@ -0,0 +1,648 @@
 <!-- Custom rules suricata -->
 <!-- Overwrite règle de base pour debug
 <group name="ids, suricata">
    <rule id="86601" level="3" overwrite="yes">
        <if_sid>86600</if_sid>
        <field name="event_type">^alert$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group> -->
 <!-- Enlève bruit "Not Suspicious Traffic" -->
 <group name="ids, suricata">
    <rule id="100500" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.category">^Not Suspicious Traffic$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Enlève bruit "DNS" -->
 <group name="ids, suricata">
    <rule id="100501" level="0">
        <if_sid>86601</if_sid>
        <field name="flow.dest_port">^53$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Enlève bruit : Alertes RST invalides isolées -->
 <group name="ids, suricata">
    <rule id="100510" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA STREAM SHUTDOWN RST invalid ack$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Alertes RST invalides en masse -->
 <group name="ids, suricata">
    <rule id="100511" level="10" frequency="10" timeframe="180">
        <if_matched_sid>100510</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Bruit TCP : SYNACK resend avec ACK différent -->
 <group name="ids,suricata">
  <rule id="100512" level="1">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA STREAM ESTABLISHED SYNACK resend with different ACK</field>
    <description>Suricata: TCP handshake anomaly (retransmission/reordering/capture/offload) - noise reduction</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Escalade : burst de SYNACK resend anomalies depuis un même client -->
 <group name="ids,suricata">
  <rule id="100513" level="12" frequency="25" timeframe="300">
    <if_matched_sid>100512</if_matched_sid>
    <same_field>flow.src_ip</same_field>
    <description>Suricata: Repeated SYNACK resend anomalies from same host (possible evasion / broken TCP stack / capture issue)</description>
    <mitre>
        <id>T1046</id>
    </mitre>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Enlève bruit : Accès SMB suspect
 <group name="ids, suricata">
    <rule id="100504" level="2">
        <if_sid>86601</if_sid>
        <field name="alert.category">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group> -->
 <!-- Alertes SMB executable quiet hour : 0h00 5h00
 <group name="ids, suricata">
    <rule id="100505" level="10">
        <if_sid>100504</if_sid>
        <time>00:00-05:00</time>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group> -->
 <!-- Alerte SCAN RESEAU -->
 <group name="ids, suricata">
    <rule id="100520" level="15" frequency="10" timeframe="60" ignore="300">
        <if_matched_sid>86601</if_matched_sid>
        <field type="pcre2" name="alert.signature">(Applayer Mismatch|malformed request|unable to match|Sipvicious|SCAN)</field>
        <!-- <field name="alert.signature">^ET SCAN Possible Nmap User-Agent Observed$</field> -->
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit TCP overlaps suspect -->
 <group name="ids, suricata">
    <rule id="100530" level="2">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA STREAM reassembly overlap with different data$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Alerte TCP Overlaps répété depuis même IP -->
 <group name="ids, suricata">
    <rule id="100531" level="12" frequency="20" timeframe="600">
        <if_matched_sid>100530</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit TCP avec ack invalide -->
 <group name="ids, suricata">
    <rule id="100532" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA STREAM Packet with invalid ack$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple TCP ack invalide -->
 <group name="ids, suricata">
    <rule id="100533" level="12" frequency="50" timeframe="300">
        <if_matched_sid>100532</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - Multiple TCP ack invalides - Possible ataque TCP</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit TLS Fail -->
 <group name="ids, suricata">
    <rule id="100540" level="2">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^ET INFO TLS Handshake Failure$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Alerte TLS Fail répété depuis même IP -->
 <group name="ids, suricata">
    <rule id="100541" level="12" frequency="50" timeframe="300">
        <if_matched_sid>100540</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit NSCI Microsoft -->
 <group name="ids, suricata">
    <rule id="100550" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^ET INFO Microsoft Connection Test$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Alerte NCSI répété depuis même IP -->
 <group name="ids, suricata">
    <rule id="100551" level="12" frequency="20" timeframe="600">
        <if_matched_sid>100550</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - NCSI excessif - Problème réseau</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit Timestamp invalid -->
 <group name="ids, suricata">
    <rule id="100560" level="2">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA STREAM Packet with invalid timestamp$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple Timestamps invalies -->
 <group name="ids, suricata">
    <rule id="100561" level="12" frequency="100" timeframe="300">
        <if_matched_sid>100560</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - Multiple timestamps invalides - Possible évasion IDS</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit FIN anormaux -->
 <group name="ids, suricata">
    <rule id="100570" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA STREAM FIN out of window$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple FIN Anormaux -->
 <group name="ids, suricata">
    <rule id="100571" level="12" frequency="30" timeframe="600">
        <if_matched_sid>100570</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - Multiple FIN Anormaux - Possible problème réseau ou attaque</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit FIN invalid -->
 <group name="ids, suricata">
    <rule id="100572" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA STREAM FIN invalid ack$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple FIN invalid -->
 <group name="ids, suricata">
    <rule id="100573" level="12" frequency="30" timeframe="600">
        <if_matched_sid>100572</if_matched_sid>
        <field name="alert.signature">^SURICATA STREAM FIN invalid ack$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit UDPv6 invalid Unifi-->
 <group name="ids, suricata">
    <rule id="100580" level="2">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
        <field name="dest_port">5353</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple UDPv6 invalid -->
 <group name="ids, suricata">
    <rule id="100581" level="12" frequency="20" timeframe="300">
        <if_matched_sid>86601</if_matched_sid>
        <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
        <same_field>flow.src_ip</same_field>
        <description>Suricata: Alert - IPv6 UDP malformed packet flooding (repeated invalid checksum)</description>
        <mitre>
            <id>T1046</id>
        </mitre>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit SMB too many transaction - FS17101 -->
 <group name="ids, suricata">
    <rule id="100590" level="1">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA SMB too many transactions$</field>
        <field type="pcre2" name="flow.dest_ip">(10.171.101.36|10.172.101.113)</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit SMB too many transaction - FS17101 -->
 <group name="ids, suricata">
    <rule id="100591" level="1">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^SURICATA SMB too many transactions$</field>
        <field type="pcre2" name="flow.src_ip">(10.171.101.36|10.172.101.113)</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Possible SMB enumération or ransomware activity -->
 <group name="ids, suricata">
    <rule id="100592" level="12" frequency="10" timeframe="600">
        <if_matched_sid>100591</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <field name="flow.dest_ip" negate="yes">10.171.101.36</field>
        <field name="alert.signature">^SURICATA SMB too many transactions$</field>
        <description>Suricata : Possible SMB enumeration or ransomware activity</description>
        <mitre>
            <id>T1021.002</id>
        </mitre>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Filtrage Executable file SMB -->
 <group name="ids, suricata">
    <rule id="100592" level="0">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
        <description>Suricata: Filtrage executable file SMB</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Filtrage Executable file SMB -->
 <group name="ids, suricata">
    <rule id="100593" level="7">
        <if_sid>100592</if_sid>
        <field name="smb.filename">.+</field>
        <description>Suricata: Filtrage executable file SMB</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Exception métier : Sphinx exécuté depuis SMB -->
 <group name="ids,suricata">
  <rule id="100594" level="0">
    <if_sid>100593</if_sid>
    <regex type="pcre2" field="smb.filename">(?i)Systeme.*\.exe</regex>
    <description>
      Suricata: Known business software (Sphinx) executed from SMB share
    </description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Alertes critic : Executable file - Autre que fichier lambda -->
 <group name="ids, suricata">
    <rule id="100595" level="12">
        <if_sid>100593</if_sid>
        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
        <regex type="pcre2" negate="yes" field="smb.filename">(?i)\.(pdf|docx?|xlsx?|pptx?|txt|jpe?g|png|gif|csv|zip|rar)</regex>
        <description>Suricata: Fichier executable dans dossier partagé</description>
        <!-- <options>no_full_log</options> -->
    </rule>
 </group>
 <!-- Executable sur SMB
 <group name="ids, suricata">
    <rule id="100596" level="12">
        <if_sid>86601</if_sid>
        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
        <regex type="pcre2" field="smb.filename">(?i)\.(exe|dll|bat|cmd|ps1|vbs|js|msi|scr|pif|com)([^\\\/]|$)</regex>
        <description>Suricata : Executable lancer sur dossier partagé</description>
        <mitre>T1021.002</mitre>
        <options>no_full_log</options>
    </rule>
 </group> -->
 <!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
 <group name="ids, suricata">
    <rule id="100597" level="1">
        <if_sid>86601</if_sid>
        <field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
        <field name="dest_ip">10.171.101.36</field>
        <description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
 <group name="ids, suricata">
    <rule id="100598" level="10">
        <if_sid>86601</if_sid>
        <field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
        <field name="dest_ip" negate="yes">10.171.101.36</field>
        <description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Bruit SMB : lecture normale de fichier dossier partagé (file overlap) -->
 <group name="ids,suricata">
  <rule id="100599" level="1">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA SMB file overlap</field>
    <description>Suricata: SMB file overlap (normal SMB read behaviour)</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Reduction bruit DNS over HTTPS (DOH) -->
 <group name="ids, suricata">
        <rule id="100600" level="1">
        <if_sid>86601</if_sid>
        <field name="alert.metadata.tag">DoH</field>
        <description>Suricata : DNS over HTTPS</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- DOH sur VLAN ADMINSYS -->
 <group name="ids, suricata">
    <rule id="100601" level="12">
        <if_sid>100600</if_sid>
        <regex field="src_ip">^10\.172\.253\.</regex>
        <description>Suricata DNS over HTTPS VLAN ADMINSYS</description>
        <mitre>
            <id>T1071.004</id>
        </mitre>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit Bad Windows update -->
 <group name="ids, suricata">
    <rule id="100610" level="1">
        <if_sid>86601</if_sid>
        <field name="alert.signature">SURICATA STREAM bad window update</field>
        <description>Suricata : Network/offloading/capture noiseS</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple TCP Bad Windows update -->
 <group name="ids, suricata">
    <rule id="100611" level="10" frequency="50" timeframe="300">
        <if_matched_sid>100610</if_matched_sid>
        <same_field>src_ip</same_field>
        <description>High rate of TCP bad window updates from same host (possible local network stack/capture issue)</description>
        <mitre>
            <id>T1071.004</id>
        </mitre>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Réduction bruit UDP invalid checksum (QUIC/UDP443) -->
 <group name="ids, suricata">
    <rule id="100620" level="1">
        <if_sid>86601</if_sid>
        <field name="alert.signature">SURICATA UDPv4 invalid checksum</field>
        <description>Suricata : UDPv4 invalid checksum - likely NIC offload/SPAN capture noise (often QUIC)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Multiple UDP invalid checksum from same source (possible malformed UDP flood) -->
 <group name="ids, suricata">
    <rule id="100621" level="12" frequency="200" timeframe="60">
        <if_matched_sid>100620</if_matched_sid>
        <same_field>flow.src_ip</same_field>
        <description>High rate of UDPv4 invalid checksum from same host (possible malformed UDP flood / DoS)</description>
        <options>no_full_log</options>
    </rule>
 </group>
 <!-- Reduction bruit : TCP CLOSEWAIT FIN out of window (infra / supervision) -->
 <group name="ids,suricata">
  <rule id="100630" level="1">
    <if_sid>86601</if_sid>
    <field name="alert.signature">
      SURICATA STREAM CLOSEWAIT FIN out of window
    </field>
    <description>
      Suricata: TCP CLOSEWAIT FIN anomaly on known supervision traffic (likely FP)
    </description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Escalade : TCP CLOSEWAIT FIN out of window flooding -->
 <!-- TCP Evasion, outils de scan bas niveau, fuzzing TCP, Stack TCP custom/malveillant -->
 <group name="ids,suricata">
  <rule id="100631" level="12" frequency="30" timeframe="300">
    <if_matched_sid>100630</if_matched_sid>
    <same_field>src_ip</same_field>
    <description>
      Suricata: Repeated TCP CLOSEWAIT FIN anomalies from same host (possible evasion or broken TCP stack)
    </description>
    <mitre>
        <id>T1046</id>
    </mitre>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Bruit TCP : packet out of window sur session établie -->
 <group name="ids,suricata">
  <rule id="100632" level="1">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
    <description>Suricata: TCP stream out-of-window (likely retransmission/capture/offload) - noise reduction</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Escalade : burst de out-of-window depuis une même machine -->
 <!-- TCP Evasion, Hijack, scan bas niveau -->
 <group name="ids,suricata">
  <rule id="100633" level="12" frequency="30" timeframe="300">
    <if_matched_sid>100632</if_matched_sid>
    <same_field>flow.src_ip</same_field>
    <description>Suricata: Repeated TCP out-of-window packets from same host (possible evasion / unstable TCP stack / capture issue)</description>
    <mitre>
        <id>T1046</id>
    </mitre>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- STUN (WebRTC/VoIP) -->
 <group name="ids,suricata">
  <rule id="100640" level="7">
    <if_sid>86601</if_sid>
    <match>ET INFO Session Traversal Utilities for NAT (STUN Binding Response)</match>
    <description>Suricata: STUN binding response (likely WebRTC/VoIP)</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Bruit STUN (WebRTC/VoIP) -->
 <group name="ids,suricata">
  <rule id="100641" level="1">
    <if_sid>100640</if_sid>
    <regex type="pcre2" field="flow.src_ip">192\.168\.12\.*</regex>
    <description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Bruit STUN (WebRTC/VoIP) -->
 <group name="ids,suricata">
  <rule id="100642" level="1">
    <if_sid>100640</if_sid>
    <regex type="pcre2" field="flow.src_ip">10\.17[0-9]\.[1|2]\.</regex>
    <description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- STUN anormal : trop fréquent depuis le même host -->
 <!-- Attaque : Contournement P2P/WebRTC, outil de tunnelling, C2 -->
 <group name="ids,suricata">
  <rule id="100643" level="12" frequency="80" timeframe="300">
    <if_matched_sid>100640</if_matched_sid>
    <same_field>flow.src_ip</same_field>
    <description>Suricata: Abnormal STUN activity burst (possible tunneling / unauthorized VoIP / P2P)</description>
    <mitre>
        <id>T1071</id>
    </mitre>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- Réduction bruit saturation synchro PBS -->
 <!-- invalid ack - dest port 8007 -->
 <group name="ids,suricata,noise">
  <rule id="100650" level="0">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
    <field name="dest_port">8007</field>
    <time>22:00-23:00</time>
    <description>Ignore Suricata invalid ack between PBS during replication</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- invalid ack - src port 8007 -->
 <group name="ids,suricata,noise">
  <rule id="100651" level="0">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
    <field name="src_port">8007</field>
    <time>22:00-23:00</time>
    <description>Ignore Suricata invalid ack between PBS during replication</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- out of window - dest port 8007 -->
 <group name="ids,suricata,noise">
  <rule id="100652" level="0">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
    <field name="dest_port">8007</field>
    <time>22:00-23:00</time>
    <description>Ignore Suricata out of window between PBS during replication</description>
    <options>no_full_log</options>
  </rule>
 </group>
 <!-- out of window - src port 8007 -->
 <group name="ids,suricata,noise">
  <rule id="100653" level="0">
    <if_sid>86601</if_sid>
    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
    <field name="src_port">8007</field>
    <time>22:00-23:00</time>
    <description>Ignore Suricata out of window between PBS during replication</description>
    <options>no_full_log</options>
  </rule>
 </group>
--- a/brut-force.xml
+++ b/brut-force.xml
@ -0,0 +1,26 @@
 <!-- Alerte si erreur euthentification X10 en moins de 180 seconde -->
 <group name="windows,windows_security,">
  <rule id="100150" level="15" frequency="10" timeframe="60">
    <if_matched_sid>60122</if_matched_sid>
    <same_field>win.eventdata.ipAddress</same_field>
    <description>Brut force</description>
  </rule>
 </group>
 <!-- Reduction bruit "Sandrine" Alerte si erreur euthentification X10 en moins de 180 seconde -->
 <group name="windows,windows_security,">
  <rule id="100151" level="0">
    <if_sid>100150</if_sid>
    <field name="win.eventdata.targetUserName">^Sandrine$</field>
    <description>Brut force</description>
  </rule>
 </group>
 <group name="windows,windows_security,">
  <rule id="100152" level="15" frequency="10" timeframe="60">
    <same_field>win.eventdata.ipAddress</same_field>
    <if_matched_sid>60105</if_matched_sid>
    <description>Brut force</description>
  </rule>
 </group>
--- a/local_rules.xml
+++ b/local_rules.xml
@ -0,0 +1,60 @@
 <!-- Local rules -->
 <!-- Modify it at your will. -->
 <!-- Copyright (C) 2015, Wazuh Inc. -->
 <!-- Example -->
 <group name="local,syslog,sshd,">
  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>
 </group>
 <!-- Règle alerte lors de la modification d'un fichier -->
 <group name="windows,windows_security,">
  <rule id="100146" level="9">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4663$</field>
    <description>Alerte fichier modifié</description>
  </rule>
 </group>
 <!-- Règle alerte lors de la suppression d'un fichier -->
 <group name="windows,windows_security,">
  <rule id="100147" level="9">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4659$</field>
    <description>Alerte fichier supprimé</description>
  </rule>
 </group>
 <!-- Règle alerte lors de la suppression d'un fichier -->
 <group name="windows,windows_security,">
  <rule id="100148" level="9">
    <if_sid>100146</if_sid>
    <field name="win.system.message">Écriture données (ou ajout fichier)</field>
    <description>Alerte fichier Créé</description>
  </rule>
 </group>
 <!-- Alerte si modif en masse de fichier par le même utilisateur -->
 <group name="windows,windows_security,">
  <rule id="100149" level="15" frequency="50" timeframe="60" ignore="300">
    <if_matched_sid>100146</if_matched_sid>
    <same_field>win.eventdata.subjectUserName</same_field>
    <description>Fichier modifier en masse</description>
  </rule>
 </group>
--- a/unifi-rules.xml
+++ b/unifi-rules.xml
@ -0,0 +1,175 @@
 <!-- =========================
     UniFi custom rules (tagged logs)
     IDs: 100400+
     One group per rule
     ========================= -->
 <group name="unifi,noise,">
  <rule id="100400" level="0">
    <decoded_as>unifi</decoded_as>
    <match>reporter_save_config</match>
    <description>UniFi noise: save_config</description>
  </rule>
 </group>
 <group name="unifi,noise,">
  <rule id="100401" level="0">
    <decoded_as>unifi</decoded_as>
    <match>need_cfg_save</match>
    <description>UniFi noise: need_cfg_save</description>
  </rule>
 </group>
 <group name="unifi,noise,dns,">
  <rule id="100402" level="0">
    <decoded_as>unifi</decoded_as>
    <match>use cached dns record</match>
    <description>UniFi noise: cached dns record</description>
  </rule>
 </group>
 <group name="unifi,sensitive,">
  <rule id="100403" level="0">
    <decoded_as>unifi</decoded_as>
    <match>authkey:</match>
    <description>UniFi sensitive: authkey ignored</description>
  </rule>
 </group>
 <group name="unifi,switch,network_down,">
  <rule id="100410" level="10">
    <decoded_as>unifi</decoded_as>
    <field name="link_state">down</field>
    <field name="device_family">^USW</field>
    <description>UniFi Switch: port link DOWN (site=$(site), device=$(device), port=$(port))</description>
  </rule>
 </group>
 <group name="unifi,switch,network_down,">
  <rule id="100411" level="10">
    <decoded_as>unifi</decoded_as>
    <field name="link_state">down</field>
    <field name="device_family">^SW</field>
    <description>UniFi Switch: port link DOWN (site=$(site), device=$(device), port=$(port))</description>
  </rule>
 </group>
 <group name="unifi,switch,network_instability,flapping,">
  <rule id="100412" level="12" frequency="3" timeframe="300">
    <if_matched_sid>100410</if_matched_sid>
    <same_field>site</same_field>
    <same_field>device</same_field>
    <same_field>port</same_field>
    <description>UniFi Switch: port FLAPPING (3x DOWN/5min) site=$(site) device=$(device) port=$(port)</description>
  </rule>
 </group>
 <group name="unifi,switch,network_instability,flapping,">
  <rule id="100413" level="12" frequency="3" timeframe="300">
    <if_matched_sid>100411</if_matched_sid>
    <same_field>site</same_field>
    <same_field>device</same_field>
    <same_field>port</same_field>
    <description>UniFi Switch: port FLAPPING (3x DOWN/5min) site=$(site) device=$(device) port=$(port)</description>
  </rule>
 </group>
 <group name="unifi,switch,network_loop,stp,">
  <rule id="100414" level="8">
    <decoded_as>unifi</decoded_as>
    <field name="device_family">^SW</field>
    <field name="stp_to">Blocking</field>
    <description>UniFi Switch: STP moved to BLOCKING (boucle réseau) site=$(site) device=$(device) port=$(port)</description>
  </rule>
 </group>
 <group name="unifi,switch,network_loop,stp,">
  <rule id="100415" level="8">
    <decoded_as>unifi</decoded_as>
    <field name="device_family">^USW</field>
    <field name="stp_to">Blocking</field>
    <description>UniFi Switch: STP moved to BLOCKING (boucle réseau) site=$(site) device=$(device) port=$(port)</description>
  </rule>
 </group>
 <group name="unifi,dns,unifi_controller,">
  <rule id="100420" level="8">
    <decoded_as>unifi</decoded_as>
    <field name="dns_host">.+</field>
    <description>UniFi: DNS controller resolve failed for $(dns_host) (site=$(site), device=$(device))</description>
  </rule>
 </group>
 <group name="unifi,unifi_controller,availability,">
  <rule id="100421" level="11">
    <decoded_as>unifi</decoded_as>
    <field name="inform_error">.+</field>
    <description>UniFi: Impossible de contacter le controlleur ($(inform_error)) url=$(inform_url) (site=$(site), device=$(device))</description>
  </rule>
 </group>
 <group name="unifi,unifi_controller,availability,">
  <rule id="100422" level="12">
    <decoded_as>unifi</decoded_as>
    <field name="state_to">Selfrun</field>
    <description>UniFi: device switched to SELF-RUN (controller lost?) site=$(site) device=$(device)</description>
  </rule>
 </group>
 <group name="unifi,wifi,authentication_failed,">
  <rule id="100430" level="2">
    <decoded_as>unifi</decoded_as>
    <field name="event_type">failure</field>
    <description>UniFi WiFi: assoc/auth failure sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site) wpa_auth_failures=$(wpa_auth_failures)</description>
  </rule>
 </group>
 <group name="unifi,wifi,">
  <rule id="100431" level="0">
    <decoded_as>unifi</decoded_as>
    <field name="wifi_event">disassociated</field>
    <description>UniFi WiFi: STA $(wifi_event) sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site)</description>
  </rule>
 </group>
 <group name="unifi,wifi,">
  <rule id="100432" level="0">
    <decoded_as>unifi</decoded_as>
    <field name="wifi_event">deauthenticated</field>
    <description>UniFi WiFi: STA $(wifi_event) sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site)</description>
  </rule>
 </group>
 <group name="unifi,wifi,authentication_failed,correlation,">
  <rule id="100433" level="10" frequency="5" timeframe="120">
    <if_matched_sid>100430</if_matched_sid>
    <same_field>site</same_field>
    <same_field>sta_mac</same_field>
    <description>UniFi WiFi: repeated auth failures (5x/2min) sta=$(sta_mac) site=$(site) vap=$(vap)</description>
  </rule>
 </group>
 <group name="unifi,wifi,site_issue,authentication_failed,">
  <rule id="100434" level="12" frequency="30" timeframe="300">
    <if_matched_sid>100430</if_matched_sid>
    <same_field>site</same_field>
    <description>UniFi WiFi: many auth failures on site (30x/5min) site=$(site)</description>
  </rule>
 </group>
 <group name="unifi,wifi,radio,stability,">
  <rule id="100440" level="10">
    <decoded_as>unifi</decoded_as>
    <field name="kernel_event">ath_bstuck_tasklet</field>
    <description>UniFi WiFi: radio stuck beacon/reset (radio wifi répond pas = reset) (site=$(site)) msg=$(msg)</description>
  </rule>
 </group>
 <group name="unifi,wifi,radio,stability,">
  <rule id="100441" level="12" frequency="3" timeframe="600">
    <if_matched_sid>100440</if_matched_sid>
    <same_field>site</same_field>
    <description>UniFi WiFi: repeated stuck beacon/reset (3x/10min) site=$(site)</description>
  </rule>
 </group>