-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Tuning] Roshal Archive (RAR) or PowerShell File Downloaded from the Internet #1107
Comments
Hmmm just had a better look at the results and it seems like the current query captures traffic from internal ip addresses instead of public ip addresses?
The generated signals Also the private ranges seem to be missing some:
So the query should more look like:
|
@bm11100 could you have a look at this issue? Sth seems not right with this rule no? |
We could also add an
Looking further, the rule isn't factoring in what the destination ip is, so its possible the destination is an internal IP instead of a public ip and we want to look for the destination ip being a public address. So what if we just rule out the non-routable This should find internal network connections to a publicly routable address space that includes the ps1 and rar extensions.
I've pushed the changes in this PR - #1227 |
Hey @willemdh First off, thanks for your comments. They are well thought out and relevant. Efficiency When this rule was written, leading PANOS Data Of note, when looking at the exported fields for the PAN Filebeat module, I don't see Source IPs Tune Up What do you think? |
Sounds like a perfect plan, have a nice weekend all |
Same to you, @willemdh For your reference: |
@peasead Just re-read you comments Of note, when looking at the exported fields for the PAN Filebeat module, I don't see url.extension, so that'd be needed as well. And I wanted to add that the by Elastic provided panw dataset definitely has an |
Ah, looks like it. I was going off the Filebeat docs, which may need to be updated...or am I overlooking something? https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-panw.html https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-panw.html |
My guess is the docs probably need some work.. |
I created elastic/beats#25999 to add the |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Wouldn't it be better to do something like below as to not hardcode IPs that may or not be valid for users?
This way it takes advantage of the |
@legoguy1000 I think that's a great idea. There were some issues a while ago with network directions, Zeek, and the associated Filebeat module which is why we leaned away from that approach. That's no longer an issue, so I think that's a solid PR idea. |
@peasead ok, I'll submit a PR. |
@peasead I started to go through the list and realized a lot of the rules are based on Auditbeat, Winglogbeat, Endpoint events which don't have the internal_networks/network.direction context. so IDK if its the best try and change those to using |
Hm, yeah. It looks like the Endpoint uses incoming and outgoing for several protcols, Packetbeat and Auditbeat use ingress and egress. Let me check on a few things, because incoming and outgoing aren't expected values of network.direction |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment. |
https://www.elastic.co/guide/en/security/current/roshal-archive-rar-or-powershell-file-downloaded-from-the-internet.html
Description
The way this rule currently works is highly ineffective and only searches in packetbeat data and also uses regex with front wildcard. it would be way more efficient if it would (also) query NGFW data, for example from
panw.panos
. This dataset contains all download url's and also has a fieldurl.extension
.Instead of having to do a front wildcard Lucene regex query, like:
event.category:(network OR network_traffic) AND network.protocol:http AND url.path:/.*(rar|ps1)/ AND source.ip:(10.0.0.0\/8 OR 172.16.0.0\/12 OR 192.168.0.0\/16)
This could be changed to a more efficient KQL query like:
event.category:(network OR network_traffic) and url.extension:(ps1 or rar) and not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8") and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
Example Data
Unfortunately packetbet http dataset does not have
url.extension
so it might be a good idea to add that first with another issue in the Beats repo, so we can use this rule on both datasets?The text was updated successfully, but these errors were encountered: