l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Wazuh-Custom-rules/fortigate.xml

66 lines
2.4 KiB
XML
Raw Blame History

<group name="fortinet,data-evasion,critic">
<!-- 1. Filtre de base : trafic lan -> wan -->
<rule id="100250" level="0">
<if_group>fortigate</if_group>
<field name="srcintfrole">lan</field>
<field name="dstintfrole">wan</field>
<description>Fortigate: trafic lan vers wan</description>
</rule>
<!-- 2. Exclure les IP privées RFC1918 sur la destination -->
<rule id="100251" level="0">
<if_sid>100250</if_sid>
<regex negate="yes">dstip=10\.|dstip=192\.168\.|dstip=172\.1[6-9]\.|dstip=172\.2[0-9]\.|dstip=172\.3[01]\.</regex>
<description>Fortigate: destination IP publique confirmee</description>
</rule>
<!-- 4. Alerte 100MB (pour chunk)-->
<rule id="100252" level="0">
<if_sid>100251</if_sid>
<field type="pcre2" name="sentbyte">^[1-9]\d{8}$</field>
<description>Fortigate: Large outbound transfer ($(sentbyte) bytes) from $(srcip) to $(dstip)</description>
</rule>
<!-- 3. Alerte 500MB -->
<rule id="100253" level="3">
<if_sid>100251</if_sid>
<field type="pcre2" name="sentbyte">^[5-9]\d{8}$</field>
<description>Fortigate: Large outbound transfer ($(sentbyte) bytes) from $(srcip) to $(dstip)</description>
</rule>
<!-- 4. Alerte 1GB critique -->
<rule id="100254" level="8">
<if_sid>100251</if_sid>
<field type="pcre2" name="sentbyte">^(?:[1-9]\d{9})$</field>
<description>CRITICAL - Fortigate: Massive outbound transfer 1GB from $(srcip) to $(dstip)</description>
</rule>
<!-- 5. Alerte envoie fragmenté (plateforme de transfert) critique -->
<rule id="100255" level="8" frequency="5" timeframe="600">
<if_matched_sid>100252</if_matched_sid>
<description>Fortigate: Repeated large transfers from $(srcip) - possible large exfiltration in progress</description>
</rule>
</group>
<!-- 6. Alerte 1GB Quiet Hour critique -->
<group name="fortinet,data-evasion,critic,">
<rule id="100256" level="3">
<if_sid>100254</if_sid>
<time>00:00-05:00</time>
<description>Fortigate: Large transfers from $(srcip) in quiet hour - possible large exfiltration</description>
</rule>
</group>
<!-- 7. Alerte 10GB critique -->
<group name="fortinet,data-evasion,critic,">
<rule id="100257" level="8">
<if_sid>100251</if_sid>
<field type="pcre2" name="sentbyte">^\d{11,}$</field>
<description>CRITICAL - Fortigate: Massive outbound transfer 10GB from $(srcip) to $(dstip)</description>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink