Indentation, doublon et filtrage suricata.xml

Suricata.xml

@@ -255,10 +255,20 @@
 
 
 
+<!-- Filtre UDPv6 invalid-->
+<group name="ids, suricata">
+    <rule id="100580" level="3">
+        <if_sid>86601</if_sid>
+        <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
+        <description>Suricata: Alert - $(alert.signature)</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
 <!-- Reduction bruit UDPv6 invalid Unifi-->
 <group name="ids, suricata">
-    <rule id="100580" level="2">
+    <rule id="100581" level="2">
-        <if_sid>86601</if_sid>
+        <if_sid>100580</if_sid>
         <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
         <field name="dest_port">5353</field>
         <description>Suricata: Alert - $(alert.signature)</description>
@@ -268,8 +278,8 @@
 
 <!-- Multiple UDPv6 invalid -->
 <group name="ids, suricata">
-    <rule id="100581" level="12" frequency="20" timeframe="300">
+    <rule id="100582" level="12" frequency="20" timeframe="300">
-        <if_matched_sid>86601</if_matched_sid>
+        <if_matched_sid>100580</if_matched_sid>
         <field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
         <same_field>flow.src_ip</same_field>
         <description>Suricata: Alert - IPv6 UDP malformed packet flooding (repeated invalid checksum)</description>
@@ -321,7 +331,7 @@
 
 <!-- Filtrage Executable file SMB -->
 <group name="ids, suricata">
-    <rule id="100592" level="0">
+    <rule id="100600" level="0">
         <if_sid>86601</if_sid>
         <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
         <description>Suricata: Filtrage executable file SMB</description>
@@ -332,8 +342,8 @@
 
 <!-- Filtrage Executable file SMB -->
 <group name="ids, suricata">
-    <rule id="100593" level="7">
+    <rule id="100601" level="7">
-        <if_sid>100592</if_sid>
+        <if_sid>100600</if_sid>
         <field name="smb.filename">.+</field>
         <description>Suricata: Filtrage executable file SMB</description>
         <options>no_full_log</options>
@@ -344,8 +354,8 @@
 
 <!-- Exception métier : Sphinx exécuté depuis SMB -->
 <group name="ids,suricata">
-  <rule id="100594" level="0">
+  <rule id="100602" level="0">
-    <if_sid>100593</if_sid>
+    <if_sid>100600</if_sid>
     <regex type="pcre2" field="smb.filename">(?i)Systeme.*\.exe</regex>
     <description>
       Suricata: Known business software (Sphinx) executed from SMB share
@@ -356,9 +366,8 @@
 
 <!-- Alertes critic : Executable file - Autre que fichier lambda -->
 <group name="ids, suricata">
-    <rule id="100595" level="12">
+    <rule id="100603" level="12">
-        <if_sid>100593</if_sid>
+        <if_sid>100600</if_sid>
-        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
         <regex type="pcre2" negate="yes" field="smb.filename">(?i)\.(pdf|docx?|xlsx?|pptx?|txt|jpe?g|png|gif|csv|zip|rar)</regex>
         <description>Suricata: Fichier executable dans dossier partagé</description>
         <!-- <options>no_full_log</options> -->
@@ -369,9 +378,8 @@
 
 <!-- Executable sur SMB
 <group name="ids, suricata">
-    <rule id="100596" level="12">
+    <rule id="100604" level="12">
-        <if_sid>86601</if_sid>
+        <if_sid>100600</if_sid>
-        <field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
         <regex type="pcre2" field="smb.filename">(?i)\.(exe|dll|bat|cmd|ps1|vbs|js|msi|scr|pif|com)([^\\\/]|$)</regex>
         <description>Suricata : Executable lancer sur dossier partagé</description>
         <mitre>T1021.002</mitre>
@@ -380,22 +388,31 @@
 </group> -->
 
 
-<!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
+<!-- Filtrage SMB DLL open depuis serveur de fichiers -->
 <group name="ids, suricata">
-    <rule id="100597" level="1">
+    <rule id="100610" level="7">
         <if_sid>86601</if_sid>
         <field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
+        <description>Suricata : SMB DLL access</description>
+        <options>no_full_log</options>
+    </rule>
+</group>
+
+
+<!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
+<group name="ids, suricata">
+    <rule id="100611" level="1">
+        <if_sid>100610</if_sid>
         <field name="dest_ip">10.171.101.36</field>
         <description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
         <options>no_full_log</options>
     </rule>
 </group>
 
-<!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
+<!-- Réduction bruit SMB DLL open vers serveur de fichiers -->
 <group name="ids, suricata">
-    <rule id="100598" level="10">
+    <rule id="100612" level="10">
-        <if_sid>86601</if_sid>
+        <if_sid>100610</if_sid>
-        <field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
         <field name="dest_ip" negate="yes">10.171.101.36</field>
         <description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
         <options>no_full_log</options>
@@ -405,7 +422,7 @@
 
 <!-- Bruit SMB : lecture normale de fichier dossier partagé (file overlap) -->
 <group name="ids,suricata">
-  <rule id="100599" level="1">
+  <rule id="100620" level="1">
     <if_sid>86601</if_sid>
     <field name="alert.signature">SURICATA SMB file overlap</field>
     <description>Suricata: SMB file overlap (normal SMB read behaviour)</description>
@@ -414,34 +431,10 @@
 </group>
 
 
-<!-- Reduction bruit DNS over HTTPS (DOH) -->
+
+<!-- Reduction bruit TCP Bad Windows update -->
 <group name="ids, suricata">
-        <rule id="100600" level="1">
+    <rule id="100630" level="1">
-        <if_sid>86601</if_sid>
-        <field name="alert.metadata.tag">DoH</field>
-        <description>Suricata : DNS over HTTPS</description>
-        <options>no_full_log</options>
-    </rule>
-</group>
-
-<!-- DOH sur VLAN ADMINSYS -->
-<group name="ids, suricata">
-    <rule id="100601" level="12">
-        <if_sid>100600</if_sid>
-        <regex field="src_ip">^10\.172\.253\.</regex>
-        <description>Suricata DNS over HTTPS VLAN ADMINSYS</description>
-        <mitre>
-            <id>T1071.004</id>
-        </mitre>
-        <options>no_full_log</options>
-    </rule>
-</group>
-
-
-
-<!-- Reduction bruit Bad Windows update -->
-<group name="ids, suricata">
-    <rule id="100610" level="1">
         <if_sid>86601</if_sid>
         <field name="alert.signature">SURICATA STREAM bad window update</field>
         <description>Suricata : Network/offloading/capture noiseS</description>
@@ -451,8 +444,8 @@
 
 <!-- Multiple TCP Bad Windows update -->
 <group name="ids, suricata">
-    <rule id="100611" level="10" frequency="50" timeframe="300">
+    <rule id="100631" level="10" frequency="50" timeframe="300">
-        <if_matched_sid>100610</if_matched_sid>
+        <if_matched_sid>100630</if_matched_sid>
         <same_field>src_ip</same_field>
         <description>High rate of TCP bad window updates from same host (possible local network stack/capture issue)</description>
         <mitre>
@@ -467,7 +460,7 @@
 
 <!-- Réduction bruit UDP invalid checksum (QUIC/UDP443) -->
 <group name="ids, suricata">
-    <rule id="100620" level="1">
+    <rule id="100640" level="1">
         <if_sid>86601</if_sid>
         <field name="alert.signature">SURICATA UDPv4 invalid checksum</field>
         <description>Suricata : UDPv4 invalid checksum - likely NIC offload/SPAN capture noise (often QUIC)</description>
@@ -477,8 +470,8 @@
 
 <!-- Multiple UDP invalid checksum from same source (possible malformed UDP flood) -->
 <group name="ids, suricata">
-    <rule id="100621" level="12" frequency="200" timeframe="60">
+    <rule id="100641" level="12" frequency="200" timeframe="60">
-        <if_matched_sid>100620</if_matched_sid>
+        <if_matched_sid>100640</if_matched_sid>
         <same_field>flow.src_ip</same_field>
         <description>High rate of UDPv4 invalid checksum from same host (possible malformed UDP flood / DoS)</description>
         <options>no_full_log</options>
@@ -488,7 +481,7 @@
 
 <!-- Reduction bruit : TCP CLOSEWAIT FIN out of window (infra / supervision) -->
 <group name="ids,suricata">
-  <rule id="100630" level="1">
+  <rule id="100650" level="1">
     <if_sid>86601</if_sid>
 
     <field name="alert.signature">
@@ -507,8 +500,8 @@
 <!-- Escalade : TCP CLOSEWAIT FIN out of window flooding -->
 <!-- TCP Evasion, outils de scan bas niveau, fuzzing TCP, Stack TCP custom/malveillant -->
 <group name="ids,suricata">
-  <rule id="100631" level="12" frequency="30" timeframe="300">
+  <rule id="100651" level="12" frequency="30" timeframe="300">
-    <if_matched_sid>100630</if_matched_sid>
+    <if_matched_sid>100650</if_matched_sid>
 
     <same_field>src_ip</same_field>
 
@@ -525,7 +518,7 @@
 
 <!-- Bruit TCP : packet out of window sur session établie -->
 <group name="ids,suricata">
-  <rule id="100632" level="1">
+  <rule id="100660" level="1">
     <if_sid>86601</if_sid>
     <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
     <description>Suricata: TCP stream out-of-window (likely retransmission/capture/offload) - noise reduction</description>
@@ -537,8 +530,8 @@
 <!-- Escalade : burst de out-of-window depuis une même machine -->
 <!-- TCP Evasion, Hijack, scan bas niveau -->
 <group name="ids,suricata">
-  <rule id="100633" level="12" frequency="30" timeframe="300">
+  <rule id="100661" level="12" frequency="30" timeframe="300">
-    <if_matched_sid>100632</if_matched_sid>
+    <if_matched_sid>100660</if_matched_sid>
     <same_field>flow.src_ip</same_field>
     <description>Suricata: Repeated TCP out-of-window packets from same host (possible evasion / unstable TCP stack / capture issue)</description>
     <mitre>
@@ -548,12 +541,35 @@
   </rule>
 </group>
 
+<!-- out of window - dest port 8007 (PBS) -->
+<group name="ids,suricata,noise">
+  <rule id="100662" level="0">
+    <if_sid>100660</if_sid>
+    <field name="dest_port">8007</field>
+    <time>22:00-23:00</time>
+    <description>Ignore Suricata out of window between PBS during replication</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
+<!-- out of window - src port 8007 -->
+<group name="ids,suricata,noise">
+  <rule id="100663" level="0">
+    <if_sid>100660</if_sid>
+    <field name="src_port">8007</field>
+    <time>22:00-23:00</time>
+    <description>Ignore Suricata out of window between PBS during replication</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
 
 
 
 <!-- STUN (WebRTC/VoIP) -->
 <group name="ids,suricata">
-  <rule id="100640" level="7">
+  <rule id="100670" level="7">
     <if_sid>86601</if_sid>
     <match>ET INFO Session Traversal Utilities for NAT (STUN Binding Response)</match>
     <description>Suricata: STUN binding response (likely WebRTC/VoIP)</description>
@@ -563,8 +579,8 @@
 
 <!-- Bruit STUN (WebRTC/VoIP) -->
 <group name="ids,suricata">
-  <rule id="100641" level="1">
+  <rule id="100671" level="1">
-    <if_sid>100640</if_sid>
+    <if_sid>100670</if_sid>
     <regex type="pcre2" field="flow.src_ip">192\.168\.12\.*</regex>
     <description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
     <options>no_full_log</options>
@@ -573,8 +589,8 @@
 
 <!-- Bruit STUN (WebRTC/VoIP) -->
 <group name="ids,suricata">
-  <rule id="100642" level="1">
+  <rule id="100672" level="1">
-    <if_sid>100640</if_sid>
+    <if_sid>100670</if_sid>
     <regex type="pcre2" field="flow.src_ip">10\.17[0-9]\.[1|2]\.</regex>
     <description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
     <options>no_full_log</options>
@@ -585,8 +601,8 @@
 <!-- STUN anormal : trop fréquent depuis le même host -->
 <!-- Attaque : Contournement P2P/WebRTC, outil de tunnelling, C2 -->
 <group name="ids,suricata">
-  <rule id="100643" level="12" frequency="80" timeframe="300">
+  <rule id="100673" level="12" frequency="80" timeframe="300">
-    <if_matched_sid>100640</if_matched_sid>
+    <if_matched_sid>100670</if_matched_sid>
     <same_field>flow.src_ip</same_field>
     <description>Suricata: Abnormal STUN activity burst (possible tunneling / unauthorized VoIP / P2P)</description>
     <mitre>
@@ -596,12 +612,23 @@
   </rule>
 </group>
 
+
+<!-- Filtre invalid ack -->
+<group name="ids,suricata,noise">
+  <rule id="100680" level="0">
+    <if_sid>86601</if_sid>
+    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
+    <description>Suricata invalid ack</description>
+    <options>no_full_log</options>
+  </rule>
+</group>
+
+
 <!-- Réduction bruit saturation synchro PBS -->
 <!-- invalid ack - dest port 8007 -->
 <group name="ids,suricata,noise">
-  <rule id="100650" level="0">
+  <rule id="100681" level="0">
-    <if_sid>86601</if_sid>
+    <if_sid>100680</if_sid>
-    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
     <field name="dest_port">8007</field>
     <time>22:00-23:00</time>
     <description>Ignore Suricata invalid ack between PBS during replication</description>
@@ -611,9 +638,8 @@
 
 <!-- invalid ack - src port 8007 -->
 <group name="ids,suricata,noise">
-  <rule id="100651" level="0">
+  <rule id="100682" level="0">
-    <if_sid>86601</if_sid>
+    <if_sid>100680</if_sid>
-    <field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
     <field name="src_port">8007</field>
     <time>22:00-23:00</time>
     <description>Ignore Suricata invalid ack between PBS during replication</description>
@@ -622,27 +648,26 @@
 </group>
 
 
-<!-- out of window - dest port 8007 -->
+
-<group name="ids,suricata,noise">
+<!-- Reduction bruit DNS over HTTPS (DOH) -->
-  <rule id="100652" level="0">
+<group name="ids, suricata">
+        <rule id="100700" level="1">
         <if_sid>86601</if_sid>
-    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
+        <field name="alert.metadata.tag">DoH</field>
-    <field name="dest_port">8007</field>
+        <description>Suricata : DNS over HTTPS</description>
-    <time>22:00-23:00</time>
-    <description>Ignore Suricata out of window between PBS during replication</description>
         <options>no_full_log</options>
     </rule>
 </group>
 
-<!-- out of window - src port 8007 -->
+<!-- DOH sur VLAN ADMINSYS -->
-<group name="ids,suricata,noise">
+<group name="ids, suricata">
-  <rule id="100653" level="0">
+    <rule id="100701" level="12">
-    <if_sid>86601</if_sid>
+        <if_sid>100700</if_sid>
-    <field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
+        <regex field="src_ip">^10\.172\.253\.</regex>
-    <field name="src_port">8007</field>
+        <description>Suricata DNS over HTTPS VLAN ADMINSYS</description>
-    <time>22:00-23:00</time>
+        <mitre>
-    <description>Ignore Suricata out of window between PBS during replication</description>
+            <id>T1071.004</id>
+        </mitre>
         <options>no_full_log</options>
     </rule>
 </group>
-