-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
perdition (imap/pop3 proxy) rule #407
Conversation
Hello @gkissand, Thanks for your contribution. We will review it and if possible, it will be added to Wazuh-Ruleset. Juan Pablo Sáez |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @gkissand,
First, thanks for your contribution to the Ruleset project.
Rules and decoders work fine.
We will merge it as soon as possible.
Regards, Eva
rules/0625-perdition_rules.xml
Outdated
- Author: George Kissandrakis <gkissand@gmail.com> | ||
--> | ||
<group name="syslog,perdition"> | ||
<rule id="100100" level="0"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, rule IDs greater than 100000 are reserved for custom rules. Please change these IDs to others less than 100000.
Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
Should I do the rule id changes?
If so, is there an inventory of rule ids not to use an id that is already in use?
Thank you
George
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @gkissand,
First of all, thanks for your contribution to the project.
I think the best solution here is to add this group of rules to the syslog dedicated file: https://github.com/wazuh/wazuh-ruleset/blob/3.10/rules/0020-syslog_rules.xml
That way we are not creating a new file for three rules related to syslog. You can continue the rule IDs account for that file. I would use IDs 2961-2963.
Regards.
I added perdition rules in the syslog file as recommended |
Hi @gkissand, I cannot see any change in the Syslog rules file. Have you pushed your last changes? Regards. |
As you might have realized I am not very familiar with github/git. I think I managed this time. If it's not problem, feel free to do any changes needed for merging to master thank you |
Now I see the rules duplicated, don't worry about it, I'll fix it while merging. Thanks again for the contribution and for applying the requested changes. It will be available in the next minor version (3.10.0). Regards. |
This decoder and rule will monitor perdition connections and create a level 10 alert on multiple connections from same source ip
For maintainers: PCI tags, descriptions etc were copied from pure-ftp decoders/rules. It successfully detected DoS attacks (tested live)