CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7296 from Security-Onion-Solutions/delta

Browse Source 
IDH - Import & Enables Plays
This commit is contained in:
Josh Brower
2022-02-23 10:52:37 -05:00
committed by GitHub
parent 00dbf54a5f 83aa261d88
commit b7b2183c15
5 changed files with 66 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
salt/idh/plays/idh_ftp.yml Normal file
View File

@@ -0,0 +1,17 @@
title: SO IDH - FTP Login Attempt
id: d2d82069-30a7-4ac3-b584-ba696fbc24fd
status: experimental
description: Detects when the FTP service on a SO IDH node has had a login attempt.
author: Security Onion Solutions
logsource:
product: idh
detection:
selection:
event.code:
- 2000
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

17
salt/idh/plays/idh_httpproxy.yml Normal file
View File

@@ -0,0 +1,17 @@
title: SO IDH - HTTP Proxy Attempted Proxy
id: 6722bba8-5713-4463-b3ab-8432224928c2
status: experimental
description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy attempt.
author: Security Onion Solutions
logsource:
product: idh
detection:
selection:
event.code:
- 2000
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

5
salt/idh/Plays/IDH_SSH.yaml → salt/idh/plays/idh_ssh.yml
View File

@@ -1,6 +1,7 @@
title: SO IDH - SSH Accessed title: SO IDH - SSH Login Attempt
id: b7a09f0a-88ca-4fe0-bc8a-92106133e231
status: experimental status: experimental
description: Detects when the SSH service on a SO IDH node has been probed. description: Detects when the SSH service on a SO IDH node has had a login attempt.
author: Security Onion Solutions author: Security Onion Solutions
logsource: logsource:
product: idh product: idh

17
salt/idh/plays/idh_tftp.yml Normal file
View File

@@ -0,0 +1,17 @@
title: SO IDH - TFTP Requests
id: 6722bba8-5713-4463-b3ab-8432224928c2
status: experimental
description: Detects when the TFTP service on a SO IDH node has had requests.
author: Security Onion Solutions
logsource:
product: idh
detection:
selection:
event.code:
- 2000
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

12
salt/playbook/init.sls
View File

@@ -110,6 +110,18 @@ so-playbookruleupdatecron:
- minute: '1' - minute: '1'
- hour: '6' - hour: '6'
{% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %}
idh-plays:
file.recurse:
- name: /opt/so/conf/soctopus/sigma-import
- source: salt://idh/plays
- makedirs: True
cmd.run:
- name: so-playbook-import true
- onchanges:
- file: /opt/so/conf/soctopus/sigma-import
{% endif %}
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed: