CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

manage suricata classifications.config https://github.com/Security-Onion-Solutions/securityonion/issues/7918

Browse Source
This commit is contained in:
m0duspwnens
2022-05-26 11:43:31 -04:00
parent 53883e4ade
commit 1bfde852f5
3 changed files with 1 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
salt/suricata/classification.csv
View File

@@ -1,43 +0,0 @@
attempted-admin,Attempted Administrator Privilege Gain,1
attempted-dos,Attempted Denial of Service,2
attempted-recon,Attempted Information Leak,2
attempted-user,Attempted User Privilege Gain,1
bad-unknown,Potentially Bad Traffic, 2
coin-mining,Crypto Currency Mining Activity Detected,2
command-and-control,Malware Command and Control Activity Detected,1
credential-theft,Successful Credential Theft Detected,1
default-login-attempt,Attempt to login by a default username and password,2
denial-of-service,Detection of a Denial of Service Attack,2
domain-c2,Domain Observed Used for C2 Detected,1
exploit-kit,Exploit Kit Activity Detected,1
external-ip-check,Device Retrieving External IP Address Detected,2
icmp-event,Generic ICMP event,3
inappropriate-content,Inappropriate Content was Detected,1
misc-activity,Misc activity,3
misc-attack,Misc Attack,2
network-scan,Detection of a Network Scan,3
non-standard-protocol,Detection of a non-standard protocol or event,2
not-suspicious,Not Suspicious Traffic,3
policy-violation,Potential Corporate Privacy Violation,1
protocol-command-decode,Generic Protocol Command Decode,3
pup-activity,Possibly Unwanted Program Detected,2
rpc-portmap-decode,Decode of an RPC Query,2
shellcode-detect,Executable code was detected,1
social-engineering,Possible Social Engineering Attempted,2
string-detect,A suspicious string was detected,3
successful-admin,Successful Administrator Privilege Gain,1
successful-dos,Denial of Service,2
successful-recon-largescale,Large Scale Information Leak,2
successful-recon-limited,Information Leak,2
successful-user,Successful User Privilege Gain,1
suspicious-filename-detect,A suspicious filename was detected,2
suspicious-login,An attempted login using a suspicious username was detected,2
system-call-detect,A system call was detected,2
targeted-activity,Targeted Malicious Activity was Detected,1
tcp-connection,A TCP connection was detected,4
trojan-activity,A Network Trojan was detected, 1
unknown,Unknown Traffic,3
unsuccessful-user,Unsuccessful User Privilege Gain,1
unusual-client-port-connection,A client was using an unusual port,2
web-application-activity,access to a potentially vulnerable web application,2
web-application-attack,Web Application Attack,1
1 attempted-admin Attempted Administrator Privilege Gain 1
2 attempted-dos Attempted Denial of Service 2
3 attempted-recon Attempted Information Leak 2
4 attempted-user Attempted User Privilege Gain 1
5 bad-unknown Potentially Bad Traffic 2
6 coin-mining Crypto Currency Mining Activity Detected 2
7 command-and-control Malware Command and Control Activity Detected 1
8 credential-theft Successful Credential Theft Detected 1
9 default-login-attempt Attempt to login by a default username and password 2
10 denial-of-service Detection of a Denial of Service Attack 2
11 domain-c2 Domain Observed Used for C2 Detected 1
12 exploit-kit Exploit Kit Activity Detected 1
13 external-ip-check Device Retrieving External IP Address Detected 2
14 icmp-event Generic ICMP event 3
15 inappropriate-content Inappropriate Content was Detected 1
16 misc-activity Misc activity 3
17 misc-attack Misc Attack 2
18 network-scan Detection of a Network Scan 3
19 non-standard-protocol Detection of a non-standard protocol or event 2
20 not-suspicious Not Suspicious Traffic 3
21 policy-violation Potential Corporate Privacy Violation 1
22 protocol-command-decode Generic Protocol Command Decode 3
23 pup-activity Possibly Unwanted Program Detected 2
24 rpc-portmap-decode Decode of an RPC Query 2
25 shellcode-detect Executable code was detected 1
26 social-engineering Possible Social Engineering Attempted 2
27 string-detect A suspicious string was detected 3
28 successful-admin Successful Administrator Privilege Gain 1
29 successful-dos Denial of Service 2
30 successful-recon-largescale Large Scale Information Leak 2
31 successful-recon-limited Information Leak 2
32 successful-user Successful User Privilege Gain 1
33 suspicious-filename-detect A suspicious filename was detected 2
34 suspicious-login An attempted login using a suspicious username was detected 2
35 system-call-detect A system call was detected 2
36 targeted-activity Targeted Malicious Activity was Detected 1
37 tcp-connection A TCP connection was detected 4
38 trojan-activity A Network Trojan was detected 1
39 unknown Unknown Traffic 3
40 unsuccessful-user Unsuccessful User Privilege Gain 1
41 unusual-client-port-connection A client was using an unusual port 2
42 web-application-activity access to a potentially vulnerable web application 2
43 web-application-attack Web Application Attack 1

126
salt/suricata/classification.yml
View File

@@ -1,126 +0,0 @@
- '3': 3
Not Suspicious Traffic: Unknown Traffic
not-suspicious: unknown
- '3': 2
Not Suspicious Traffic: Potentially Bad Traffic
not-suspicious: bad-unknown
- '3': 2
Not Suspicious Traffic: Attempted Information Leak
not-suspicious: attempted-recon
- '3': 2
Not Suspicious Traffic: Information Leak
not-suspicious: successful-recon-limited
- '3': 2
Not Suspicious Traffic: Large Scale Information Leak
not-suspicious: successful-recon-largescale
- '3': 2
Not Suspicious Traffic: Attempted Denial of Service
not-suspicious: attempted-dos
- '3': 2
Not Suspicious Traffic: Denial of Service
not-suspicious: successful-dos
- '3': 1
Not Suspicious Traffic: Attempted User Privilege Gain
not-suspicious: attempted-user
- '3': 1
Not Suspicious Traffic: Unsuccessful User Privilege Gain
not-suspicious: unsuccessful-user
- '3': 1
Not Suspicious Traffic: Successful User Privilege Gain
not-suspicious: successful-user
- '3': 1
Not Suspicious Traffic: Attempted Administrator Privilege Gain
not-suspicious: attempted-admin
- '3': 1
Not Suspicious Traffic: Successful Administrator Privilege Gain
not-suspicious: successful-admin
- '3': 2
Not Suspicious Traffic: Decode of an RPC Query
not-suspicious: rpc-portmap-decode
- '3': 1
Not Suspicious Traffic: Executable code was detected
not-suspicious: shellcode-detect
- '3': 3
Not Suspicious Traffic: A suspicious string was detected
not-suspicious: string-detect
- '3': 2
Not Suspicious Traffic: A suspicious filename was detected
not-suspicious: suspicious-filename-detect
- '3': 2
Not Suspicious Traffic: An attempted login using a suspicious username was detected
not-suspicious: suspicious-login
- '3': 2
Not Suspicious Traffic: A system call was detected
not-suspicious: system-call-detect
- '3': 4
Not Suspicious Traffic: A TCP connection was detected
not-suspicious: tcp-connection
- '3': 1
Not Suspicious Traffic: A Network Trojan was detected
not-suspicious: trojan-activity
- '3': 2
Not Suspicious Traffic: A client was using an unusual port
not-suspicious: unusual-client-port-connection
- '3': 3
Not Suspicious Traffic: Detection of a Network Scan
not-suspicious: network-scan
- '3': 2
Not Suspicious Traffic: Detection of a Denial of Service Attack
not-suspicious: denial-of-service
- '3': 2
Not Suspicious Traffic: Detection of a non-standard protocol or event
not-suspicious: non-standard-protocol
- '3': 3
Not Suspicious Traffic: Generic Protocol Command Decode
not-suspicious: protocol-command-decode
- '3': 2
Not Suspicious Traffic: access to a potentially vulnerable web application
not-suspicious: web-application-activity
- '3': 1
Not Suspicious Traffic: Web Application Attack
not-suspicious: web-application-attack
- '3': 3
Not Suspicious Traffic: Misc activity
not-suspicious: misc-activity
- '3': 2
Not Suspicious Traffic: Misc Attack
not-suspicious: misc-attack
- '3': 3
Not Suspicious Traffic: Generic ICMP event
not-suspicious: icmp-event
- '3': 1
Not Suspicious Traffic: Inappropriate Content was Detected
not-suspicious: inappropriate-content
- '3': 1
Not Suspicious Traffic: Potential Corporate Privacy Violation
not-suspicious: policy-violation
- '3': 2
Not Suspicious Traffic: Attempt to login by a default username and password
not-suspicious: default-login-attempt
- '3': 1
Not Suspicious Traffic: Targeted Malicious Activity was Detected
not-suspicious: targeted-activity
- '3': 1
Not Suspicious Traffic: Exploit Kit Activity Detected
not-suspicious: exploit-kit
- '3': 2
Not Suspicious Traffic: Device Retrieving External IP Address Detected
not-suspicious: external-ip-check
- '3': 1
Not Suspicious Traffic: Domain Observed Used for C2 Detected
not-suspicious: domain-c2
- '3': 2
Not Suspicious Traffic: Possibly Unwanted Program Detected
not-suspicious: pup-activity
- '3': 1
Not Suspicious Traffic: Successful Credential Theft Detected
not-suspicious: credential-theft
- '3': 2
Not Suspicious Traffic: Possible Social Engineering Attempted
not-suspicious: social-engineering
- '3': 2
Not Suspicious Traffic: Crypto Currency Mining Activity Detected
not-suspicious: coin-mining
- '3': 1
Not Suspicious Traffic: Malware Command and Control Activity Detected
not-suspicious: command-and-control

1
salt/suricata/files/classification.config.jinja
View File

@@ -5,6 +5,7 @@
#
{% for sn, details in suricata_defaults.suricata.classification.items() -%}
{% if not details -%}
{% set details = {} -%}
{% do details.update({'description': 'The description is not set', 'priority': '1'}) -%}
{% endif -%}
config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}}