Merge pull request #7319 from Security-Onion-Solutions/delta

Add and Update IDH Plays
2025-12-06 09:12:45 +01:00 · 2022-02-24 15:48:38 -05:00
parent 5c747fbb4c fbc702375c
commit e8e683c2e9
17 changed files with 267 additions and 18 deletions
--- a/salt/idh/defaults/http.defaults.yaml
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -1,10 +1,10 @@
 idh:
  opencanary:
    config:
-      http.banner: Apache/2.2.22 (Ubuntu)
+      http.banner: Apache/2.2.34 (Ubuntu)
      http.enabled: true
      http.port: 80
-      http.skin: nasLogin
+      http.skin: basicLogin
      http.skin.list:
      - desc: Plain HTML Login
        name: basicLogin
--- a/salt/idh/plays/idh_ftp.yml
+++ b/salt/idh/plays/idh_ftp.yml
@@ -3,11 +3,15 @@ id: d2d82069-30a7-4ac3-b584-ba696fbc24fd
 status: experimental
 description: Detects when the FTP service on a SO IDH node has had a login attempt.
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
  selection:
-    event.code:
+    logtype:
    - 2000
  condition: selection
 falsepositives:
--- a/salt/idh/plays/idh_git.yml
+++ b/salt/idh/plays/idh_git.yml
@@ -0,0 +1,21 @@
+title: SO IDH - Git Clone Request
+id: 7e48bfa0-8175-4c0f-8f5a-a8b9a005a4c3
+status: experimental
+description: Detects when the Git service on a SO IDH node has had a git clone request.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 16001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_http.yml
+++ b/salt/idh/plays/idh_http.yml
@@ -0,0 +1,22 @@
+title: SO IDH - HTTP Accessed
+id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
+status: experimental
+description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 3000 #Get request
+    - 3001 #Login attempt
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_httpproxy.yml
+++ b/salt/idh/plays/idh_httpproxy.yml
@@ -1,14 +1,18 @@
-title: SO IDH - HTTP Proxy Attempted Proxy
+title: SO IDH - HTTP Proxy Attempted Proxy Login
 id: 6722bba8-5713-4463-b3ab-8432224928c2
 status: experimental
-description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy attempt.
+description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy login attempt.
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
  selection:
-    event.code:
-    - 2000
+    logtype:
+    - 7001
  condition: selection
 falsepositives:
  - None
--- a/salt/idh/plays/idh_mssql.yml
+++ b/salt/idh/plays/idh_mssql.yml
@@ -0,0 +1,22 @@
+title: SO IDH - MSSQL Attempted Login
+id: 3c36173e-9b56-4b03-b2d4-d420a9a7917f
+status: experimental
+description: Detects when the MS SQL service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 9001 #SQL Auth
+    - 9002 #Windows Auth
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_mysql.yml
+++ b/salt/idh/plays/idh_mysql.yml
@@ -0,0 +1,21 @@
+title: SO IDH - MySQL Attempted Login
+id: fd9bfee4-301c-40e2-8f4e-857088cb3969
+status: experimental
+description: Detects when the MySQL service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 8001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_ntp.yml
+++ b/salt/idh/plays/idh_ntp.yml
@@ -0,0 +1,21 @@
+title: SO IDH - NTP Service Request
+id: 883202b4-b974-4779-af98-8ecb0b90ba9e
+status: experimental
+description: Detects when the NTP service on a SO IDH node has had a NTP request sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 11001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_redis.yml
+++ b/salt/idh/plays/idh_redis.yml
@@ -0,0 +1,21 @@
+title: SO IDH - Redis Accessed
+id: 61bd7f23-90c4-41b0-a70d-9991b863e3f7
+status: experimental
+description: Detects when the Redis service on a SO IDH node has had an action sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 17001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_sip.yml
+++ b/salt/idh/plays/idh_sip.yml
@@ -0,0 +1,21 @@
+title: SO IDH - SIP Request
+id: c2bd0439-2aac-416d-93f5-adad8aa1131b
+status: experimental
+description: Detects when the SIP service on a SO IDH node has had a SIP request sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 15001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_smb.yml
+++ b/salt/idh/plays/idh_smb.yml
@@ -0,0 +1,21 @@
+title: SO IDH - SMB Request
+id: 3ef55cde-1edd-414e-b1ba-499db822aef7
+status: experimental
+description: Detects when the SMB service on a SO IDH node has been accessed.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 5000
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_snmp.yml
+++ b/salt/idh/plays/idh_snmp.yml
@@ -0,0 +1,21 @@
+title: SO IDH - SNMP OID Request
+id: 7be20101-6701-4bfb-a0cd-dbf830e46d85
+status: experimental
+description: Detects when the SNMP service on a SO IDH node has had an OID request sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 13001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_ssh.yml
+++ b/salt/idh/plays/idh_ssh.yml
@@ -1,13 +1,17 @@
-title: SO IDH - SSH Login Attempt
+title: SO IDH - SSH Accessed
 id: b7a09f0a-88ca-4fe0-bc8a-92106133e231
 status: experimental
-description: Detects when the SSH service on a SO IDH node has had a login attempt.
+description: Detects when the SSH service on a SO IDH node has had a new connection (logtype 4000) or login attempt (logtype 4002).
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
  selection:
-    event.code:
+    logtype:
    - 4000 
    - 4001
    - 4002
--- a/salt/idh/plays/idh_telnet.yml
+++ b/salt/idh/plays/idh_telnet.yml
@@ -0,0 +1,21 @@
+title: SO IDH - Telnet Login Attempt
+id: 4f3314c2-41cd-4ace-bdcf-5564beb78def
+status: experimental
+description: Detects when the Telnet service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 6001 
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
--- a/salt/idh/plays/idh_tftp.yml
+++ b/salt/idh/plays/idh_tftp.yml
@@ -3,12 +3,16 @@ id: 6722bba8-5713-4463-b3ab-8432224928c2
 status: experimental
 description: Detects when the TFTP service on a SO IDH node has had requests.
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
  selection:
-    event.code:
-    - 2000
+    logtype:
+    - 10001
  condition: selection
 falsepositives:
  - None
--- a/salt/idh/plays/idh_vnc.yml
+++ b/salt/idh/plays/idh_vnc.yml
@@ -0,0 +1,21 @@
+title: SO IDH - VNC Login Attempt
+id: 2d4ec11b-9d7c-464f-a9fa-e555e5cd605a
+status: experimental
+description: Detects when the VNC service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 12001 
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical