From 1bfde852f55c227c2479e18b50c2dff396025d2e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 May 2022 11:43:31 -0400 Subject: [PATCH] manage suricata classifications.config https://github.com/Security-Onion-Solutions/securityonion/issues/7918 --- salt/suricata/classification.csv | 43 ------ salt/suricata/classification.yml | 126 ------------------ .../files/classification.config.jinja | 1 + 3 files changed, 1 insertion(+), 169 deletions(-) delete mode 100644 salt/suricata/classification.csv delete mode 100644 salt/suricata/classification.yml diff --git a/salt/suricata/classification.csv b/salt/suricata/classification.csv deleted file mode 100644 index a35b67acf..000000000 --- a/salt/suricata/classification.csv +++ /dev/null @@ -1,43 +0,0 @@ -attempted-admin,Attempted Administrator Privilege Gain,1 -attempted-dos,Attempted Denial of Service,2 -attempted-recon,Attempted Information Leak,2 -attempted-user,Attempted User Privilege Gain,1 -bad-unknown,Potentially Bad Traffic, 2 -coin-mining,Crypto Currency Mining Activity Detected,2 -command-and-control,Malware Command and Control Activity Detected,1 -credential-theft,Successful Credential Theft Detected,1 -default-login-attempt,Attempt to login by a default username and password,2 -denial-of-service,Detection of a Denial of Service Attack,2 -domain-c2,Domain Observed Used for C2 Detected,1 -exploit-kit,Exploit Kit Activity Detected,1 -external-ip-check,Device Retrieving External IP Address Detected,2 -icmp-event,Generic ICMP event,3 -inappropriate-content,Inappropriate Content was Detected,1 -misc-activity,Misc activity,3 -misc-attack,Misc Attack,2 -network-scan,Detection of a Network Scan,3 -non-standard-protocol,Detection of a non-standard protocol or event,2 -not-suspicious,Not Suspicious Traffic,3 -policy-violation,Potential Corporate Privacy Violation,1 -protocol-command-decode,Generic Protocol Command Decode,3 -pup-activity,Possibly Unwanted Program Detected,2 -rpc-portmap-decode,Decode of an RPC Query,2 -shellcode-detect,Executable code was detected,1 -social-engineering,Possible Social Engineering Attempted,2 -string-detect,A suspicious string was detected,3 -successful-admin,Successful Administrator Privilege Gain,1 -successful-dos,Denial of Service,2 -successful-recon-largescale,Large Scale Information Leak,2 -successful-recon-limited,Information Leak,2 -successful-user,Successful User Privilege Gain,1 -suspicious-filename-detect,A suspicious filename was detected,2 -suspicious-login,An attempted login using a suspicious username was detected,2 -system-call-detect,A system call was detected,2 -targeted-activity,Targeted Malicious Activity was Detected,1 -tcp-connection,A TCP connection was detected,4 -trojan-activity,A Network Trojan was detected, 1 -unknown,Unknown Traffic,3 -unsuccessful-user,Unsuccessful User Privilege Gain,1 -unusual-client-port-connection,A client was using an unusual port,2 -web-application-activity,access to a potentially vulnerable web application,2 -web-application-attack,Web Application Attack,1 diff --git a/salt/suricata/classification.yml b/salt/suricata/classification.yml deleted file mode 100644 index e0ca109a9..000000000 --- a/salt/suricata/classification.yml +++ /dev/null @@ -1,126 +0,0 @@ -- '3': 3 - Not Suspicious Traffic: Unknown Traffic - not-suspicious: unknown -- '3': 2 - Not Suspicious Traffic: Potentially Bad Traffic - not-suspicious: bad-unknown -- '3': 2 - Not Suspicious Traffic: Attempted Information Leak - not-suspicious: attempted-recon -- '3': 2 - Not Suspicious Traffic: Information Leak - not-suspicious: successful-recon-limited -- '3': 2 - Not Suspicious Traffic: Large Scale Information Leak - not-suspicious: successful-recon-largescale -- '3': 2 - Not Suspicious Traffic: Attempted Denial of Service - not-suspicious: attempted-dos -- '3': 2 - Not Suspicious Traffic: Denial of Service - not-suspicious: successful-dos -- '3': 1 - Not Suspicious Traffic: Attempted User Privilege Gain - not-suspicious: attempted-user -- '3': 1 - Not Suspicious Traffic: Unsuccessful User Privilege Gain - not-suspicious: unsuccessful-user -- '3': 1 - Not Suspicious Traffic: Successful User Privilege Gain - not-suspicious: successful-user -- '3': 1 - Not Suspicious Traffic: Attempted Administrator Privilege Gain - not-suspicious: attempted-admin -- '3': 1 - Not Suspicious Traffic: Successful Administrator Privilege Gain - not-suspicious: successful-admin -- '3': 2 - Not Suspicious Traffic: Decode of an RPC Query - not-suspicious: rpc-portmap-decode -- '3': 1 - Not Suspicious Traffic: Executable code was detected - not-suspicious: shellcode-detect -- '3': 3 - Not Suspicious Traffic: A suspicious string was detected - not-suspicious: string-detect -- '3': 2 - Not Suspicious Traffic: A suspicious filename was detected - not-suspicious: suspicious-filename-detect -- '3': 2 - Not Suspicious Traffic: An attempted login using a suspicious username was detected - not-suspicious: suspicious-login -- '3': 2 - Not Suspicious Traffic: A system call was detected - not-suspicious: system-call-detect -- '3': 4 - Not Suspicious Traffic: A TCP connection was detected - not-suspicious: tcp-connection -- '3': 1 - Not Suspicious Traffic: A Network Trojan was detected - not-suspicious: trojan-activity -- '3': 2 - Not Suspicious Traffic: A client was using an unusual port - not-suspicious: unusual-client-port-connection -- '3': 3 - Not Suspicious Traffic: Detection of a Network Scan - not-suspicious: network-scan -- '3': 2 - Not Suspicious Traffic: Detection of a Denial of Service Attack - not-suspicious: denial-of-service -- '3': 2 - Not Suspicious Traffic: Detection of a non-standard protocol or event - not-suspicious: non-standard-protocol -- '3': 3 - Not Suspicious Traffic: Generic Protocol Command Decode - not-suspicious: protocol-command-decode -- '3': 2 - Not Suspicious Traffic: access to a potentially vulnerable web application - not-suspicious: web-application-activity -- '3': 1 - Not Suspicious Traffic: Web Application Attack - not-suspicious: web-application-attack -- '3': 3 - Not Suspicious Traffic: Misc activity - not-suspicious: misc-activity -- '3': 2 - Not Suspicious Traffic: Misc Attack - not-suspicious: misc-attack -- '3': 3 - Not Suspicious Traffic: Generic ICMP event - not-suspicious: icmp-event -- '3': 1 - Not Suspicious Traffic: Inappropriate Content was Detected - not-suspicious: inappropriate-content -- '3': 1 - Not Suspicious Traffic: Potential Corporate Privacy Violation - not-suspicious: policy-violation -- '3': 2 - Not Suspicious Traffic: Attempt to login by a default username and password - not-suspicious: default-login-attempt -- '3': 1 - Not Suspicious Traffic: Targeted Malicious Activity was Detected - not-suspicious: targeted-activity -- '3': 1 - Not Suspicious Traffic: Exploit Kit Activity Detected - not-suspicious: exploit-kit -- '3': 2 - Not Suspicious Traffic: Device Retrieving External IP Address Detected - not-suspicious: external-ip-check -- '3': 1 - Not Suspicious Traffic: Domain Observed Used for C2 Detected - not-suspicious: domain-c2 -- '3': 2 - Not Suspicious Traffic: Possibly Unwanted Program Detected - not-suspicious: pup-activity -- '3': 1 - Not Suspicious Traffic: Successful Credential Theft Detected - not-suspicious: credential-theft -- '3': 2 - Not Suspicious Traffic: Possible Social Engineering Attempted - not-suspicious: social-engineering -- '3': 2 - Not Suspicious Traffic: Crypto Currency Mining Activity Detected - not-suspicious: coin-mining -- '3': 1 - Not Suspicious Traffic: Malware Command and Control Activity Detected - not-suspicious: command-and-control diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja index 7b1e0c2e1..61b09222c 100644 --- a/salt/suricata/files/classification.config.jinja +++ b/salt/suricata/files/classification.config.jinja @@ -5,6 +5,7 @@ # {% for sn, details in suricata_defaults.suricata.classification.items() -%} {% if not details -%} +{% set details = {} -%} {% do details.update({'description': 'The description is not set', 'priority': '1'}) -%} {% endif -%} config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}}