forked from idaholab/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
work on idaholab#19, assigning severity to certain types of events
- Loading branch information
Showing
2 changed files
with
214 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| "CONNECTION_CROSS_SEGMENT": 25 | ||
| "CONNECTION_EXTERNAL": 10 | ||
| "CONNECTION_INBOUND": 50 | ||
| "CONNECTION_INTERNAL": 1 | ||
| "CONNECTION_OUTBOUND": 25 | ||
| "DGA_HIGH_ENTROPY": 40 | ||
| "FILE_TYPE": 25 | ||
| "FILE_TYPE_HIGH": 75 | ||
| "FILE_TYPE_MEDIUM": 50 | ||
| "NOTICE_VULN": 80 | ||
| "NOTICE_MITRE_ATTACK": 80 | ||
| "NOTICE_OTHER": 80 | ||
| "NOTICE_PROTOCOL": 80 | ||
| "NOTICE_SCAN": 80 | ||
| "PASSWORD_CLEARTEXT": 90 | ||
| "PROTOCOL_OUTDATED_OR_INSECURE": 50 | ||
| "PROTOCOL_REMOTE_CONTROL": 75 | ||
| "SIGNATURES_CAPA": 50 | ||
| "SIGNATURES_CLAMAV": 90 | ||
| "SIGNATURES_MALASS": 90 | ||
| "SIGNATURES_OTHER": 75 | ||
| "SIGNATURES_VIRUSTOTAL": 90 | ||
| "SIGNATURES_YARA": 90 | ||
| "WEIRD_OTHER": 50 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,190 @@ | ||
| filter { | ||
|
|
||
| if ("cross_segment" in [tags]) { | ||
| mutate { id => "mutate_add_field_severity_item_cross_segment" | ||
| add_field => { "[zeek][severity_items]" => "CONNECTION_CROSS_SEGMENT" } } | ||
| } | ||
|
|
||
| if ("internal_source" in [tags]) and ("internal_destination" in [tags]) { | ||
| mutate { id => "mutate_add_field_severity_item_internal" | ||
| add_field => { "[zeek][severity_items]" => "CONNECTION_INTERNAL" } } | ||
| } else if ("external_source" in [tags]) and ("external_destination" in [tags]) { | ||
| mutate { id => "mutate_add_field_severity_item_external" | ||
| add_field => { "[zeek][severity_items]" => "CONNECTION_EXTERNAL" } } | ||
| } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) { | ||
| mutate { id => "mutate_add_field_severity_item_outbound" | ||
| add_field => { "[zeek][severity_items]" => "CONNECTION_OUTBOUND" } } | ||
| } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) { | ||
| mutate { id => "mutate_add_field_severity_item_inbound" | ||
| add_field => { "[zeek][severity_items]" => "CONNECTION_INBOUND" } } | ||
| } | ||
|
|
||
| if ([zeek][filetype]) { | ||
| # these (high/medium) file types pulled from extractor_override.interesting.zeek | ||
| if (("application/PowerShell" in [zeek][filetype]) or | ||
| ("application/vnd.microsoft.portable-executable" in [zeek][filetype]) or | ||
| ("application/x-csh" in [zeek][filetype]) or | ||
| ("application/x-dosexec" in [zeek][filetype]) or | ||
| ("application/x-elf" in [zeek][filetype]) or | ||
| ("application/x-executable" in [zeek][filetype]) or | ||
| ("application/x-ms-application" in [zeek][filetype]) or | ||
| ("application/x-msdos-program" in [zeek][filetype]) or | ||
| ("application/x-pe-app-32bit-i386" in [zeek][filetype]) or | ||
| ("application/x-perl" in [zeek][filetype]) or | ||
| ("application/x-python" in [zeek][filetype]) or | ||
| ("application/x-sh" in [zeek][filetype]) or | ||
| ("text/vbscript" in [zeek][filetype])) { | ||
| mutate { id => "mutate_add_field_severity_file_type_high" | ||
| add_field => { "[zeek][severity_items]" => "FILE_TYPE_HIGH" } } | ||
| } else if (("application/binary" in [zeek][filetype]) or | ||
| ("application/ecmascript" in [zeek][filetype]) or | ||
| ("application/hta" in [zeek][filetype]) or | ||
| ("application/java-archive" in [zeek][filetype]) or | ||
| ("application/java-serialized-object" in [zeek][filetype]) or | ||
| ("application/java-vm" in [zeek][filetype]) or | ||
| ("application/javascript" in [zeek][filetype]) or | ||
| ("application/ms-vsi" in [zeek][filetype]) or | ||
| ("application/msaccess" in [zeek][filetype]) or | ||
| ("application/msaccess.addin" in [zeek][filetype]) or | ||
| ("application/msaccess.cab" in [zeek][filetype]) or | ||
| ("application/msaccess.ftemplate" in [zeek][filetype]) or | ||
| ("application/msaccess.runtime" in [zeek][filetype]) or | ||
| ("application/msaccess.webapplication" in [zeek][filetype]) or | ||
| ("application/msexcel" in [zeek][filetype]) or | ||
| ("application/mspowerpoint" in [zeek][filetype]) or | ||
| ("application/msword" in [zeek][filetype]) or | ||
| ("application/octet-stream" in [zeek][filetype]) or | ||
| ("application/pdf" in [zeek][filetype]) or | ||
| ("application/rtf" in [zeek][filetype]) or | ||
| ("application/vnd.apple.installer+xml" in [zeek][filetype]) or | ||
| ("application/vnd.ms-cab-compressed" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.addin.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.addin.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.sheet.binary.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.sheet.binary.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.sheet.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.sheet.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.template.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-excel.template.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-office.calx" in [zeek][filetype]) or | ||
| ("application/vnd.ms-officetheme" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.addin.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.addin.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.presentation.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.presentation.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.slide.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.slide.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.slideshow.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.slideshow.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.template.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-powerpoint.template.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-word.document.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-word.document.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-word.template.macroEnabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.ms-word.template.macroenabled.12" in [zeek][filetype]) or | ||
| ("application/vnd.openofficeorg.extension" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.presentationml.presentation" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.presentationml.slide" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.presentationml.slideshow" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.presentationml.template" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.spreadsheetml.template" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.wordprocessingml.document" in [zeek][filetype]) or | ||
| ("application/vnd.openxmlformats-officedocument.wordprocessingml.template" in [zeek][filetype]) or | ||
| ("application/windows-library+xml" in [zeek][filetype]) or | ||
| ("application/x-7z-compressed" in [zeek][filetype]) or | ||
| ("application/x-ace-compressed" in [zeek][filetype]) or | ||
| ("application/x-apple-diskimage" in [zeek][filetype]) or | ||
| ("application/x-bzip" in [zeek][filetype]) or | ||
| ("application/x-bzip2" in [zeek][filetype]) or | ||
| ("application/x-cfs-compressed" in [zeek][filetype]) or | ||
| ("application/x-compress" in [zeek][filetype]) or | ||
| ("application/x-compressed" in [zeek][filetype]) or | ||
| ("application/x-cpio" in [zeek][filetype]) or | ||
| ("application/x-dgc-compressed" in [zeek][filetype]) or | ||
| ("application/x-gca-compressed" in [zeek][filetype]) or | ||
| ("application/x-gtar" in [zeek][filetype]) or | ||
| ("application/x-gzip" in [zeek][filetype]) or | ||
| ("application/x-install-instructions" in [zeek][filetype]) or | ||
| ("application/x-lzh-compressed" in [zeek][filetype]) or | ||
| ("application/x-ms-installer" in [zeek][filetype]) or | ||
| ("application/x-ms-shortcut" in [zeek][filetype]) or | ||
| ("application/x-msdownload" in [zeek][filetype]) or | ||
| ("application/x-rar-compressed" in [zeek][filetype]) or | ||
| ("application/x-shockwave-flash" in [zeek][filetype]) or | ||
| ("application/x-zip-compressed" in [zeek][filetype]) or | ||
| ("application/zip" in [zeek][filetype]) or | ||
| ("text/jscript" in [zeek][filetype]) or | ||
| ("text/rtf" in [zeek][filetype])) { | ||
| mutate { id => "mutate_add_field_severity_file_type_medium" | ||
| add_field => { "[zeek][severity_items]" => "FILE_TYPE_MEDIUM" } } | ||
| } else { | ||
| mutate { id => "mutate_add_field_severity_file_type" | ||
| add_field => { "[zeek][severity_items]" => "FILE_TYPE" } } | ||
| } | ||
| } | ||
|
|
||
| if ([zeek_notice]) { | ||
| if ([zeek_notice][category] == "ATTACK") { | ||
| mutate { id => "mutate_add_field_severity_notice_mitre_attack" | ||
| add_field => { "[zeek][severity_items]" => "NOTICE_MITRE_ATTACK" } } | ||
| } else if ([zeek_notice][category] == "Scan") { | ||
| mutate { id => "mutate_add_field_severity_notice_scan" | ||
| add_field => { "[zeek][severity_items]" => "NOTICE_SCAN" } } | ||
| } else if (([zeek_notice][category] == "FTP") or | ||
| ([zeek_notice][category] == "HTTP") or | ||
| ([zeek_notice][category] == "HTTPATTACKS") or | ||
| ([zeek_notice][category] == "SSL")) { | ||
| mutate { id => "mutate_add_field_severity_notice_protocol" | ||
| add_field => { "[zeek][severity_items]" => "NOTICE_PROTOCOL" } } | ||
| } else if (([zeek_notice][category] =~ /^CVE/) or | ||
| ([zeek_notice][category] == "EternalSafety") or | ||
| ([zeek_notice][category] == "Ripple20") or | ||
| ([zeek_notice][category] == "Zerologon")) { | ||
| mutate { id => "mutate_add_field_severity_notice_vuln" | ||
| add_field => { "[zeek][severity_items]" => "NOTICE_VULN" } } | ||
| } else { | ||
| mutate { id => "mutate_add_field_severity_notice_other" | ||
| add_field => { "[zeek][severity_items]" => "NOTICE_OTHER" } } | ||
| } | ||
| } | ||
|
|
||
| if ([zeek_weird]) { | ||
| mutate { id => "mutate_add_field_severity_weird_other" | ||
| add_field => { "[zeek][severity_items]" => "WEIRD_OTHER" } } | ||
| } | ||
|
|
||
| if ([zeek][password]) { | ||
| mutate { id => "mutate_add_field_severity_password_exists" | ||
| add_field => { "[zeek][severity_items]" => "PASSWORD_CLEARTEXT" } } | ||
| } | ||
|
|
||
| if ([zeek_signatures]) { | ||
| if ([zeek_signatures][engine] == 'capa') { | ||
| mutate { id => "mutate_add_field_severity_signatures_capa" | ||
| add_field => { "[zeek][severity_items]" => "SIGNATURES_CAPA" } } | ||
| } else if ([zeek_signatures][engine] == 'clamav') { | ||
| mutate { id => "mutate_add_field_severity_signatures_clamav" | ||
| add_field => { "[zeek][severity_items]" => "SIGNATURES_CLAMAV" } } | ||
| } else if ([zeek_signatures][engine] == 'malass') { | ||
| mutate { id => "mutate_add_field_severity_signatures_malass" | ||
| add_field => { "[zeek][severity_items]" => "SIGNATURES_MALASS" } } | ||
| } else if ([zeek_signatures][engine] == 'virustotal') { | ||
| mutate { id => "mutate_add_field_severity_signatures_virustotal" | ||
| add_field => { "[zeek][severity_items]" => "SIGNATURES_VIRUSTOTAL" } } | ||
| } else if ([zeek_signatures][engine] == 'yara') { | ||
| mutate { id => "mutate_add_field_severity_signatures_yara" | ||
| add_field => { "[zeek][severity_items]" => "SIGNATURES_YARA" } } | ||
| } else { | ||
| mutate { id => "mutate_add_field_severity_signatures_other" | ||
| add_field => { "[zeek][severity_items]" => "SIGNATURES_OTHER" } } | ||
| } | ||
| } | ||
|
|
||
| # "DGA_HIGH_ENTROPY": 40 | ||
| # "PROTOCOL_OUTDATED_OR_INSECURE": 50 | ||
|
|
||
| } # filter | ||
|
|