Update splunk/rules_to_add_to_github.md
This commit is contained in:
@ -94,4 +94,73 @@ fields:
|
|||||||
- icmp_type
|
- icmp_type
|
||||||
- icmp_code
|
- icmp_code
|
||||||
level: high
|
level: high
|
||||||
|
```
|
||||||
|
|
||||||
|
IPsec from outside
|
||||||
|
|
||||||
|
```
|
||||||
|
`indextime` sourcetype=syslog
|
||||||
|
| where NOT cidrmatch("10.0.0.0/8", src_ip) AND NOT cidrmatch("192.168.0.0/16", src_ip) AND NOT cidrmatch("172.16.0.0/12", src_ip)
|
||||||
|
| where cidrmatch("137.0.0.0/16", src_ip) OR src_port=500 OR dest_port=500
|
||||||
|
| stats count by src_ip, dest_ip, src_port, dest_port
|
||||||
|
| sort - count
|
||||||
|
| eval hash_sha256=if(isnull(hash_sha256), "N/A", lower(hash_sha256)),
|
||||||
|
hunting_trigger="Detects suspicious connections to non-private IPs or port 500 usage.",
|
||||||
|
mitre_category="Discovery",
|
||||||
|
mitre_technique="Network Service Scanning",
|
||||||
|
mitre_technique_id="T1046",
|
||||||
|
mitre_subtechnique="",
|
||||||
|
mitre_subtechnique_id="",
|
||||||
|
apt="Volt Typhoon",
|
||||||
|
mitre_link="https://attack.mitre.org/techniques/T1046/",
|
||||||
|
creator="Sgt Iverson",
|
||||||
|
last_tested="",
|
||||||
|
upload_date="2025-04-15",
|
||||||
|
last_modify_date="2025-04-15",
|
||||||
|
mitre_version="v16",
|
||||||
|
priority="high"
|
||||||
|
| eval indextime = _indextime
|
||||||
|
| convert ctime(indextime)
|
||||||
|
| table _time, indextime, event_description, hash_sha256, src_ip, dest_ip, src_port, dest_port, http_header, mitre_category, mitre_technique, mitre_technique_id, hunting_trigger, mitre_subtechnique, mitre_subtechnique_id, apt, mitre_link, creator, last_tested, upload_date, last_modify_date, mitre_version, priority
|
||||||
|
| collect `jarvis_index`
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
title: Detect Suspicious Connections to Non-Private IPs or Port 500 Usage
|
||||||
|
id: b4a8cfa4-7a21-4f8a-9383-1234abcd5678
|
||||||
|
description: Detects connections from non-private IPs or IPs in the 137.0.0.0/16 range, with usage of port 500, including data enrichment fields.
|
||||||
|
author: Sgt Iverson
|
||||||
|
logsource:
|
||||||
|
product: network
|
||||||
|
service: syslog
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
src_ip:
|
||||||
|
- "!10.0.0.0/8"
|
||||||
|
- "!192.168.0.0/16"
|
||||||
|
- "!172.16.0.0/12"
|
||||||
|
- "137.0.0.0/16"
|
||||||
|
src_port: 500
|
||||||
|
dest_port: 500
|
||||||
|
condition: selection
|
||||||
|
fields:
|
||||||
|
- src_ip
|
||||||
|
- dest_ip
|
||||||
|
- src_port
|
||||||
|
- dest_port
|
||||||
|
- hash_sha256
|
||||||
|
- http_header
|
||||||
|
enrichment:
|
||||||
|
hunting_trigger: "Detects suspicious connections to non-private IPs or port 500 usage."
|
||||||
|
mitre_category: "Discovery"
|
||||||
|
mitre_technique: "Network Service Scanning"
|
||||||
|
mitre_technique_id: "T1046"
|
||||||
|
apt: "Volt Typhoon"
|
||||||
|
mitre_link: "https://attack.mitre.org/techniques/T1046/"
|
||||||
|
creator: "Sgt Iverson"
|
||||||
|
upload_date: "2025-04-15"
|
||||||
|
last_modify_date: "2025-04-15"
|
||||||
|
mitre_version: "v16"
|
||||||
|
priority: "high"
|
||||||
|
level: high
|
||||||
```
|
```
|
||||||
Reference in New Issue
Block a user