l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Wazuh-Custom-rules/Suricata.xml

662 lines
22 KiB
XML
Raw Permalink Blame History

<!-- Custom rules suricata -->
<!-- Overwrite règle de base pour debug
<group name="ids, suricata">
<rule id="86601" level="3" overwrite="yes">
<if_sid>86600</if_sid>
<field name="event_type">^alert$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group> -->
<!-- Enlève bruit "Not Suspicious Traffic" -->
<group name="ids, suricata">
<rule id="100500" level="0">
<if_sid>86601</if_sid>
<field name="alert.category">^Not Suspicious Traffic$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Enlève bruit "DNS" -->
<group name="ids, suricata">
<rule id="100501" level="0">
<if_sid>86601</if_sid>
<field name="flow.dest_port">^53$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Enlève bruit : Alertes RST invalides isolées -->
<group name="ids, suricata">
<rule id="100510" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA STREAM SHUTDOWN RST invalid ack$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alertes RST invalides en masse -->
<group name="ids, suricata">
<rule id="100511" level="10" frequency="10" timeframe="180">
<if_matched_sid>100510</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Bruit TCP : SYNACK resend avec ACK différent -->
<group name="ids,suricata">
<rule id="100512" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">SURICATA STREAM ESTABLISHED SYNACK resend with different ACK</field>
<description>Suricata: TCP handshake anomaly (retransmission/reordering/capture/offload) - noise reduction</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Escalade : burst de SYNACK resend anomalies depuis un même client -->
<group name="ids,suricata">
<rule id="100513" level="12" frequency="25" timeframe="300">
<if_matched_sid>100512</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Repeated SYNACK resend anomalies from same host (possible evasion / broken TCP stack / capture issue)</description>
<mitre>
<id>T1046</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Enlève bruit : Accès SMB suspect
<group name="ids, suricata">
<rule id="100504" level="2">
<if_sid>86601</if_sid>
<field name="alert.category">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group> -->
<!-- Alertes SMB executable quiet hour : 0h00 5h00
<group name="ids, suricata">
<rule id="100505" level="10">
<if_sid>100504</if_sid>
<time>00:00-05:00</time>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group> -->
<!-- Alerte SCAN RESEAU -->
<group name="ids, suricata">
<rule id="100520" level="15" frequency="10" timeframe="60" ignore="300">
<if_matched_sid>86601</if_matched_sid>
<field type="pcre2" name="alert.signature">(Applayer Mismatch|malformed request|unable to match|Sipvicious|SCAN)</field>
<!-- <field name="alert.signature">^ET SCAN Possible Nmap User-Agent Observed$</field> -->
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit TCP overlaps suspect -->
<group name="ids, suricata">
<rule id="100530" level="2">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA STREAM reassembly overlap with different data$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alerte TCP Overlaps répété depuis même IP -->
<group name="ids, suricata">
<rule id="100531" level="12" frequency="20" timeframe="600">
<if_matched_sid>100530</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit TCP avec ack invalide -->
<group name="ids, suricata">
<rule id="100532" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA STREAM Packet with invalid ack$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple TCP ack invalide -->
<group name="ids, suricata">
<rule id="100533" level="12" frequency="50" timeframe="300">
<if_matched_sid>100532</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - Multiple TCP ack invalides - Possible ataque TCP</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit TLS Fail -->
<group name="ids, suricata">
<rule id="100540" level="2">
<if_sid>86601</if_sid>
<field name="alert.signature">^ET INFO TLS Handshake Failure$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alerte TLS Fail répété depuis même IP -->
<group name="ids, suricata">
<rule id="100541" level="12" frequency="50" timeframe="300">
<if_matched_sid>100540</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit NSCI Microsoft -->
<group name="ids, suricata">
<rule id="100550" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">^ET INFO Microsoft Connection Test$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alerte NCSI répété depuis même IP -->
<group name="ids, suricata">
<rule id="100551" level="12" frequency="20" timeframe="600">
<if_matched_sid>100550</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - NCSI excessif - Problème réseau</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit Timestamp invalid -->
<group name="ids, suricata">
<rule id="100560" level="2">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA STREAM Packet with invalid timestamp$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple Timestamps invalies -->
<group name="ids, suricata">
<rule id="100561" level="12" frequency="100" timeframe="300">
<if_matched_sid>100560</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - Multiple timestamps invalides - Possible évasion IDS</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit FIN anormaux -->
<group name="ids, suricata">
<rule id="100570" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA STREAM FIN out of window$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple FIN Anormaux -->
<group name="ids, suricata">
<rule id="100571" level="12" frequency="30" timeframe="600">
<if_matched_sid>100570</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - Multiple FIN Anormaux - Possible problème réseau ou attaque</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit FIN invalid -->
<group name="ids, suricata">
<rule id="100572" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA STREAM FIN invalid ack$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple FIN invalid -->
<group name="ids, suricata">
<rule id="100573" level="12" frequency="30" timeframe="600">
<if_matched_sid>100572</if_matched_sid>
<field name="alert.signature">^SURICATA STREAM FIN invalid ack$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Filtre UDPv6 invalid-->
<group name="ids, suricata">
<rule id="100580" level="3">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit UDPv6 invalid Unifi-->
<group name="ids, suricata">
<rule id="100581" level="2">
<if_sid>100580</if_sid>
<field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
<field name="dest_port">5353</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple UDPv6 invalid -->
<group name="ids, suricata">
<rule id="100582" level="12" frequency="20" timeframe="300">
<if_matched_sid>100580</if_matched_sid>
<field name="alert.signature">^SURICATA UDPv6 invalid checksum$</field>
<same_field>flow.src_ip</same_field>
<description>Suricata: Alert - IPv6 UDP malformed packet flooding (repeated invalid checksum)</description>
<mitre>
<id>T1046</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit SMB too many transaction - FS17101 -->
<group name="ids, suricata">
<rule id="100590" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA SMB too many transactions$</field>
<field type="pcre2" name="flow.dest_ip">(10.171.101.36|10.172.101.113)</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit SMB too many transaction - FS17101 -->
<group name="ids, suricata">
<rule id="100591" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">^SURICATA SMB too many transactions$</field>
<field type="pcre2" name="flow.src_ip">(10.171.101.36|10.172.101.113)</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Possible SMB enumération or ransomware activity -->
<group name="ids, suricata">
<rule id="100592" level="12" frequency="10" timeframe="600">
<if_matched_sid>100591</if_matched_sid>
<same_field>flow.src_ip</same_field>
<field name="flow.dest_ip" negate="yes">10.171.101.36</field>
<field name="alert.signature">^SURICATA SMB too many transactions$</field>
<description>Suricata : Possible SMB enumeration or ransomware activity</description>
<mitre>
<id>T1021.002</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Filtrage Executable file SMB -->
<group name="ids, suricata">
<rule id="100600" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">^ET INFO SMB2 NT Create AndX Request For an Executable File$</field>
<description>Suricata: Filtrage executable file SMB</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Filtrage Executable file SMB -->
<group name="ids, suricata">
<rule id="100601" level="7">
<if_sid>100600</if_sid>
<field name="smb.filename">.+</field>
<description>Suricata: Filtrage executable file SMB</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alertes critic : Executable file - Autre que fichier lambda -->
<group name="ids, suricata">
<rule id="100603" level="12">
<if_sid>100601</if_sid>
<regex type="pcre2" negate="yes" field="smb.filename">(?i)\.(pdf|docx?|xlsx?|pptx?|txt|jpe?g|png|gif|csv|zip|rar)</regex>
<description>Suricata: Fichier executable dans dossier partagé</description>
<!-- <options>no_full_log</options> -->
</rule>
</group>
<!-- Executable sur SMB
<group name="ids, suricata">
<rule id="100604" level="12">
<if_sid>100600</if_sid>
<regex type="pcre2" field="smb.filename">(?i)\.(exe|dll|bat|cmd|ps1|vbs|js|msi|scr|pif|com)([^\\\/]|$)</regex>
<description>Suricata : Executable lancer sur dossier partagé</description>
<mitre>T1021.002</mitre>
<options>no_full_log</options>
</rule>
</group> -->
<!-- Filtrage SMB DLL open depuis serveur de fichiers -->
<group name="ids, suricata">
<rule id="100610" level="7">
<if_sid>86601</if_sid>
<field name="alert.signature">ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement</field>
<description>Suricata : SMB DLL access</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Réduction bruit SMB DLL open depuis serveur de fichiers -->
<group name="ids, suricata">
<rule id="100611" level="1">
<if_sid>100610</if_sid>
<field name="dest_ip">10.171.101.36</field>
<description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Réduction bruit SMB DLL open vers serveur de fichiers -->
<group name="ids, suricata">
<rule id="100612" level="10">
<if_sid>100610</if_sid>
<field name="dest_ip" negate="yes">10.171.101.36</field>
<description>Suricata : SMB DLL access on file server (often legitimate shared app/library)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Bruit SMB : lecture normale de fichier dossier partagé (file overlap) -->
<group name="ids,suricata">
<rule id="100620" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">SURICATA SMB file overlap</field>
<description>Suricata: SMB file overlap (normal SMB read behaviour)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit TCP Bad Windows update -->
<group name="ids, suricata">
<rule id="100630" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">SURICATA STREAM bad window update</field>
<description>Suricata : Network/offloading/capture noiseS</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple TCP Bad Windows update -->
<group name="ids, suricata">
<rule id="100631" level="10" frequency="50" timeframe="300">
<if_matched_sid>100630</if_matched_sid>
<same_field>src_ip</same_field>
<description>High rate of TCP bad window updates from same host (possible local network stack/capture issue)</description>
<mitre>
<id>T1071.004</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Réduction bruit UDP invalid checksum (QUIC/UDP443) -->
<group name="ids, suricata">
<rule id="100640" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">SURICATA UDPv4 invalid checksum</field>
<description>Suricata : UDPv4 invalid checksum - likely NIC offload/SPAN capture noise (often QUIC)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Multiple UDP invalid checksum from same source (possible malformed UDP flood) -->
<group name="ids, suricata">
<rule id="100641" level="12" frequency="200" timeframe="60">
<if_matched_sid>100640</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>High rate of UDPv4 invalid checksum from same host (possible malformed UDP flood / DoS)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit : TCP CLOSEWAIT FIN out of window (infra / supervision) -->
<group name="ids,suricata">
<rule id="100650" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">
SURICATA STREAM CLOSEWAIT FIN out of window
</field>
<description>
Suricata: TCP CLOSEWAIT FIN anomaly on known supervision traffic (likely FP)
</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Escalade : TCP CLOSEWAIT FIN out of window flooding -->
<!-- TCP Evasion, outils de scan bas niveau, fuzzing TCP, Stack TCP custom/malveillant -->
<group name="ids,suricata">
<rule id="100651" level="12" frequency="30" timeframe="300">
<if_matched_sid>100650</if_matched_sid>
<same_field>src_ip</same_field>
<description>
Suricata: Repeated TCP CLOSEWAIT FIN anomalies from same host (possible evasion or broken TCP stack)
</description>
<mitre>
<id>T1046</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Bruit TCP : packet out of window sur session établie -->
<group name="ids,suricata">
<rule id="100660" level="1">
<if_sid>86601</if_sid>
<field name="alert.signature">SURICATA STREAM ESTABLISHED packet out of window</field>
<description>Suricata: TCP stream out-of-window (likely retransmission/capture/offload) - noise reduction</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Escalade : burst de out-of-window depuis une même machine -->
<!-- TCP Evasion, Hijack, scan bas niveau -->
<group name="ids,suricata">
<rule id="100661" level="12" frequency="30" timeframe="300">
<if_matched_sid>100660</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Repeated TCP out-of-window packets from same host (possible evasion / unstable TCP stack / capture issue)</description>
<mitre>
<id>T1046</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- out of window - dest port 8007 (PBS) -->
<group name="ids,suricata,noise">
<rule id="100662" level="0">
<if_sid>100660</if_sid>
<field name="dest_port">8007</field>
<time>22:00-23:00</time>
<description>Ignore Suricata out of window between PBS during replication</description>
<options>no_full_log</options>
</rule>
</group>
<!-- out of window - src port 8007 -->
<group name="ids,suricata,noise">
<rule id="100663" level="0">
<if_sid>100660</if_sid>
<field name="src_port">8007</field>
<time>22:00-23:00</time>
<description>Ignore Suricata out of window between PBS during replication</description>
<options>no_full_log</options>
</rule>
</group>
<!-- STUN (WebRTC/VoIP) -->
<group name="ids,suricata">
<rule id="100670" level="7">
<if_sid>86601</if_sid>
<match>ET INFO Session Traversal Utilities for NAT (STUN Binding Response)</match>
<description>Suricata: STUN binding response (likely WebRTC/VoIP)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Bruit STUN (WebRTC/VoIP) -->
<group name="ids,suricata">
<rule id="100671" level="1">
<if_sid>100670</if_sid>
<regex type="pcre2" field="flow.src_ip">192\.168\.12\.*</regex>
<description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Bruit STUN (WebRTC/VoIP) -->
<group name="ids,suricata">
<rule id="100672" level="1">
<if_sid>100670</if_sid>
<regex type="pcre2" field="flow.src_ip">10\.17[0-9]\.[1|2]\.</regex>
<description>Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction</description>
<options>no_full_log</options>
</rule>
</group>
<!-- STUN anormal : trop fréquent depuis le même host -->
<!-- Attaque : Contournement P2P/WebRTC, outil de tunnelling, C2 -->
<group name="ids,suricata">
<rule id="100673" level="12" frequency="80" timeframe="300">
<if_matched_sid>100670</if_matched_sid>
<same_field>flow.src_ip</same_field>
<description>Suricata: Abnormal STUN activity burst (possible tunneling / unauthorized VoIP / P2P)</description>
<mitre>
<id>T1071</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Filtre invalid ack -->
<group name="ids,suricata,noise">
<rule id="100680" level="0">
<if_sid>86601</if_sid>
<field name="alert.signature">SURICATA STREAM ESTABLISHED invalid ack</field>
<description>Suricata invalid ack</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Réduction bruit saturation synchro PBS -->
<!-- invalid ack - dest port 8007 -->
<group name="ids,suricata,noise">
<rule id="100681" level="0">
<if_sid>100680</if_sid>
<field name="dest_port">8007</field>
<time>22:00-23:00</time>
<description>Ignore Suricata invalid ack between PBS during replication</description>
<options>no_full_log</options>
</rule>
</group>
<!-- invalid ack - src port 8007 -->
<group name="ids,suricata,noise">
<rule id="100682" level="0">
<if_sid>100680</if_sid>
<field name="src_port">8007</field>
<time>22:00-23:00</time>
<description>Ignore Suricata invalid ack between PBS during replication</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Reduction bruit DNS over HTTPS (DOH) -->
<group name="ids, suricata">
<rule id="100700" level="1">
<if_sid>86601</if_sid>
<field name="alert.metadata.tag">DoH</field>
<description>Suricata : DNS over HTTPS</description>
<options>no_full_log</options>
</rule>
</group>
<!-- DOH sur VLAN ADMINSYS -->
<group name="ids, suricata">
<rule id="100701" level="12">
<if_sid>100700</if_sid>
<regex field="src_ip">^10\.172\.253\.</regex>
<description>Suricata DNS over HTTPS VLAN ADMINSYS</description>
<mitre>
<id>T1071.004</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink