CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add and Update IDH Plays

Browse Source
This commit is contained in:
Josh Brower
2022-02-24 15:06:04 -05:00
parent babc114d27
commit fbc702375c
17 changed files with 267 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/idh/defaults/http.defaults.yaml
View File

@@ -1,10 +1,10 @@
idh: idh:
opencanary: opencanary:
config: config:
http.banner: Apache/2.2.22 (Ubuntu) http.banner: Apache/2.2.34 (Ubuntu)
http.enabled: true http.enabled: true
http.port: 80 http.port: 80
http.skin: nasLogin http.skin: basicLogin
http.skin.list: http.skin.list:
- desc: Plain HTML Login - desc: Plain HTML Login
name: basicLogin name: basicLogin

8
salt/idh/plays/idh_ftp.yml
View File

@@ -3,11 +3,15 @@ id: d2d82069-30a7-4ac3-b584-ba696fbc24fd
status: experimental status: experimental
description: Detects when the FTP service on a SO IDH node has had a login attempt. description: Detects when the FTP service on a SO IDH node has had a login attempt.
author: Security Onion Solutions author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource: logsource:
product: idh product: opencanary
detection: detection:
selection: selection:
event.code: logtype:
- 2000 - 2000
condition: selection condition: selection
falsepositives: falsepositives:

21
salt/idh/plays/idh_git.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - Git Clone Request
id: 7e48bfa0-8175-4c0f-8f5a-a8b9a005a4c3
status: experimental
description: Detects when the Git service on a SO IDH node has had a git clone request.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 16001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

22
salt/idh/plays/idh_http.yml Normal file
View File

@@ -0,0 +1,22 @@
title: SO IDH - HTTP Accessed
id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
status: experimental
description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 3000 #Get request
- 3001 #Login attempt
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

14
salt/idh/plays/idh_httpproxy.yml
View File

@@ -1,14 +1,18 @@
title: SO IDH - HTTP Proxy Attempted Proxy title: SO IDH - HTTP Proxy Attempted Proxy Login
id: 6722bba8-5713-4463-b3ab-8432224928c2 id: 6722bba8-5713-4463-b3ab-8432224928c2
status: experimental status: experimental
description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy attempt. description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy login attempt.
author: Security Onion Solutions author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource: logsource:
product: idh product: opencanary
detection: detection:
selection: selection:
event.code: logtype:
- 2000 - 7001
condition: selection condition: selection
falsepositives: falsepositives:
- None - None

22
salt/idh/plays/idh_mssql.yml Normal file
View File

@@ -0,0 +1,22 @@
title: SO IDH - MSSQL Attempted Login
id: 3c36173e-9b56-4b03-b2d4-d420a9a7917f
status: experimental
description: Detects when the MS SQL service on a SO IDH node has had a login attempt.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 9001 #SQL Auth
- 9002 #Windows Auth
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

21
salt/idh/plays/idh_mysql.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - MySQL Attempted Login
id: fd9bfee4-301c-40e2-8f4e-857088cb3969
status: experimental
description: Detects when the MySQL service on a SO IDH node has had a login attempt.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 8001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

21
salt/idh/plays/idh_ntp.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - NTP Service Request
id: 883202b4-b974-4779-af98-8ecb0b90ba9e
status: experimental
description: Detects when the NTP service on a SO IDH node has had a NTP request sent to it.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 11001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

21
salt/idh/plays/idh_redis.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - Redis Accessed
id: 61bd7f23-90c4-41b0-a70d-9991b863e3f7
status: experimental
description: Detects when the Redis service on a SO IDH node has had an action sent to it.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 17001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

21
salt/idh/plays/idh_sip.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - SIP Request
id: c2bd0439-2aac-416d-93f5-adad8aa1131b
status: experimental
description: Detects when the SIP service on a SO IDH node has had a SIP request sent to it.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 15001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

21
salt/idh/plays/idh_smb.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - SMB Request
id: 3ef55cde-1edd-414e-b1ba-499db822aef7
status: experimental
description: Detects when the SMB service on a SO IDH node has been accessed.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 5000
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

21
salt/idh/plays/idh_snmp.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - SNMP OID Request
id: 7be20101-6701-4bfb-a0cd-dbf830e46d85
status: experimental
description: Detects when the SNMP service on a SO IDH node has had an OID request sent to it.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 13001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

12
salt/idh/plays/idh_ssh.yml
View File

@@ -1,13 +1,17 @@
title: SO IDH - SSH Login Attempt title: SO IDH - SSH Accessed
id: b7a09f0a-88ca-4fe0-bc8a-92106133e231 id: b7a09f0a-88ca-4fe0-bc8a-92106133e231
status: experimental status: experimental
description: Detects when the SSH service on a SO IDH node has had a login attempt. description: Detects when the SSH service on a SO IDH node has had a new connection (logtype 4000) or login attempt (logtype 4002).
author: Security Onion Solutions author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource: logsource:
product: idh product: opencanary
detection: detection:
selection: selection:
event.code: logtype:
- 4000 - 4000
- 4001 - 4001
- 4002 - 4002

21
salt/idh/plays/idh_telnet.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - Telnet Login Attempt
id: 4f3314c2-41cd-4ace-bdcf-5564beb78def
status: experimental
description: Detects when the Telnet service on a SO IDH node has had a login attempt.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 6001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical

10
salt/idh/plays/idh_tftp.yml
View File

@@ -3,12 +3,16 @@ id: 6722bba8-5713-4463-b3ab-8432224928c2
status: experimental status: experimental
description: Detects when the TFTP service on a SO IDH node has had requests. description: Detects when the TFTP service on a SO IDH node has had requests.
author: Security Onion Solutions author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource: logsource:
product: idh product: opencanary
detection: detection:
selection: selection:
event.code: logtype:
- 2000 - 10001
condition: selection condition: selection
falsepositives: falsepositives:
- None - None

21
salt/idh/plays/idh_vnc.yml Normal file
View File

@@ -0,0 +1,21 @@
title: SO IDH - VNC Login Attempt
id: 2d4ec11b-9d7c-464f-a9fa-e555e5cd605a
status: experimental
description: Detects when the VNC service on a SO IDH node has had a login attempt.
author: Security Onion Solutions
license: MIT
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
logsource:
product: opencanary
detection:
selection:
logtype:
- 12001
condition: selection
falsepositives:
- None
fields:
- source.ip
level: critical