IDH - Play tweaks, Setup summary, log rotate

salt/idh/defaults/http.defaults.yaml

@@ -4,7 +4,7 @@ idh:
       http.banner: Apache/2.2.34 (Ubuntu)
       http.enabled: true
       http.port: 80
-      http.skin: basicLogin
+      http.skin: nasLogin
       http.skin.list:
       - desc: Plain HTML Login
         name: basicLogin

salt/idh/plays/idh_ftp.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 2000
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_git.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 16001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_http_get.yml

@@ -1,7 +1,7 @@
 title: SO IDH - HTTP Accessed
 id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
 status: experimental
-description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
+description: Detects when the HTTP service on a SO IDH node has had a Get request.
 author: Security Onion Solutions
 license: MIT
 references: 
@@ -12,9 +12,11 @@ logsource:
 detection:
   selection:
     logtype:
-    - 3000 #Get request
-    - 3001 #Login attempt
-  condition: selection
+    - 3000
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_http_login.yml

@@ -0,0 +1,24 @@
+title: SO IDH - HTTP Login Attempt
+id: 19449e62-93fa-40bd-8d0a-2564535d3652
+status: experimental
+description: Detects when the HTTP service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 3001
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical

salt/idh/plays/idh_httpproxy.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 7001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_mssql.yml

@@ -14,7 +14,10 @@ detection:
     logtype:
     - 9001 #SQL Auth
     - 9002 #Windows Auth
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_mysql.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 8001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_ntp.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 11001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_redis.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 17001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_sip.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 15001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_smb.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 5000
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_snmp.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 13001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_ssh.yml

@@ -15,7 +15,10 @@ detection:
     - 4000 
     - 4001
     - 4002
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_telnet.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 6001 
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_tftp.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 10001
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields:

salt/idh/plays/idh_vnc.yml

@@ -13,7 +13,10 @@ detection:
   selection:
     logtype:
     - 12001 
-  condition: selection
+  custom_filter:
+    source.ip:
+    - x.x.x.x
+  condition: selection #and not custom_filter
 falsepositives:
   - None
 fields: