Feature request - same destination IP + different src/dst IP/Port, error in Rules Syntax Documentation page.

[InfoSec]

Wazuh rules allow same source IP, same source port, same destination port. Why has the same same destination IP been omitted? Flood of allowed inbound packets against one destination IP and port is a telltale indicator of a DoS attack.

If would be very useful to have different source IP, different source port, different destination IP, and different destination port in detecting (among other scenarios) lateral movement from network firewall logs.

The rules syntax doc page mentions 'same_source_port' which does not work, the actual rule syntax is 'same_src_port'.

[Dmitriy]

Hi.

How I undestand You can use dynamic decoders fields. You will can write decoder that parsing logs of FW and getting dst ports, src ports and other parameters. Then you will write a ruleset for this decoder. For ruleset and specifics IP and ports you can use CDB list.

I didn't do the above. This is based on assumptions from documents.

понедельник, 22 января 2018 г., 9:50:16 UTC+3 пользователь InfoSec написал:

[Victor Fernandez]

Hi,

you are right, the comparison options are incomplete. There are only these options:

• same_source_ip
  
• same_src_port
  
• same_dst_port
  
• same_user
  
• same_location
  
• same_id
• different_url
• different_srcgeoip

I think that extending these options to all the static fields and two new options for dynamic fields: 

• <same>field</same>
• <different>field</different>
  

would add much value to the ruleset capacities. We will add this feature as request to our roadmap, I hope it is available in upcoming versions.

Best regards,

Victor M Fernandez-Castro 
IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/718fee7b-f8da-4612-ac43-971d3650e77e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jahchan, Georges J.]

For a complete implementation, we should be able to 'or' the fields in the same expression and 'and' multiple 'same' and 'different' lines in the same rule, as well as be able to compare numeric values, as in the example below:

<rule name="rule_name" level="XX">
  <if_sid>xxxxx</if_sid>
  <same>field1|field2|...</same>
  <different>field4|field5|...</different>
  <gt>field6|field7|...</gt>
  <lt>field8|field9|...</lt>
  <gte>field10|field11|...</gte>
  <lte>field12|field13|...</lte>
  <description>Some description.</description>
</rule>

where <gt>, <gte>, <lt>, <lte> stand for greater than, greater than or equal, less than, less than or equal -- all of which would require numeric field values.