Plays #715 and #722 false positives? #9773
Replies: 1 comment
-
|
The rules in Playbook are not actually written in-house by the Security Onion project -- they're from a community repository run by the Sigma project. More information here: https://docs.securityonion.net/en/2.3/playbook.html#getting-started The issue that you're seeing may be related to an underlying field mapping issue - the rule is intended to look only in those file modification logs, but since the mapping is not set up properly, it searches for the keywords in all the logs and ends up throwing these false positives. We're updating our mapping for the next release, so I would suggest disabling these rules for now if their output is not forensically useful and then testing again in .220. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello.
SO Version: 2.3.200
Plays 715 and 722 are related to CVE-2020-1350 (SigRed) and should detect file modification/deletion by dns.exe.
Elastalert query: (process.executable.security:\dns.exe AND (NOT (file.target.security:\dns.log)))
Sigma
logsource:
category: file_change (for #715)
logsource:
category: file_delete (for #722)
However these plays produce network connection detection instead of file modifications/deletion ones. For example:
Network connection detected:
RuleName: VNC
UtcTime: 2023-02-12 20:59:17.910
ProcessGuid: {C8675D3E-8BFF-6361-2A00-000000004100}
ProcessId: 3004
Image: C:\Windows\System32\dns.exe
User: NT AUTHORITY\SYSTEM
Protocol: udp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.1.5
SourceHostname: dc.company.local
SourcePort: 53
SourcePortName: domain
DestinationIsIpv6: false
DestinationIp: 10.10.10.115
DestinationHostname: -
DestinationPort: 5800
DestinationPortName: -
Is it correct behavior?
How can I contact the author: Tim Rauch?
Regards,
M.
Beta Was this translation helpful? Give feedback.
All reactions