Upload files to "configs"

2026-05-29 19:02:57 +00:00
commit 90fba40de4
5 changed files with 1149 additions and 0 deletions
@@ -0,0 +1,181 @@
+<!-- Local rules -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!-- Example -->
+<group name="local,syslog,sshd,">
+
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
+  -->
+  <rule id="100001" level="5">
+    <if_sid>5716</if_sid>
+    <srcip>1.1.1.1</srcip>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
+  </rule>
+
+  <!-- Bridge rule: makes pfsense-wrapped decoder trigger the pfSense rule chain -->
+  <rule id="87699" level="0">
+    <decoded_as>pfsense-wrapped</decoded_as>
+    <description>pfSense wrapped syslog parent rule.</description>
+  </rule>
+
+  <rule id="87761" level="5">
+    <if_sid>87699</if_sid>
+    <action>block</action>
+    <description>pfSense firewall drop event (wrapped).</description>
+    <group>pfsense,firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
+  </rule>
+
+  <rule id="87762" level="10" frequency="18" timeframe="45" ignore="240">
+    <if_matched_sid>87761</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple pfSense firewall block events from same source (wrapped).</description>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+    <group>pfsense,</group>
+  </rule>
+
+</group>
+
+<group name="attack,">
+  <rule id="100100" level="10">
+    <if_group>web|attack|attacks</if_group>
+    <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
+    <description>IP address found in AlienVault reputation database.</description>
+  </rule>
+</group>
+
+<group name="dovecot,local,">
+  <rule id="100200" level="0">
+    <if_sid>9705</if_sid>
+    <match>watchdog@invalid</match>
+    <description>Dovecot: mailcow watchdog health check (ignored)</description>
+  </rule>
+
+  <rule id="100201" level="0">
+    <if_sid>9707</if_sid>
+    <match>rip=172.22.1.</match>
+    <description>Dovecot: mailcow watchdog IMAP probe disconnect (ignored)</description>
+  </rule>
+
+  <rule id="100202" level="0">
+    <if_sid>9706</if_sid>
+    <match>imap(IGNORED_EMAIL_ADDRESS)</match>
+    <description>Dovecot: own-mailbox routine session disconnect (ignored)</description>
+  </rule>
+
+  <rule id="100301" level="0">
+    <if_sid>9706</if_sid>
+    <match>managesieve-login: Disconnected: Connection closed (no auth attempts</match>
+    <description>Mailcow watchdog managesieve healthcheck - suppressed</description>
+  </rule>
+
+
+</group>
+
+<group name="dovecot,authentication_success,">
+  <rule id="100300" level="0" overwrite="no">
+    <if_sid>9701</if_sid>
+    <description>Dovecot successful login - suppressed (routine IMAP polling)</description>
+  </rule>
+</group>
+
+<group name="gitea,">
+  <!-- Parent rule: any Gitea event gets decoded but only fires if a child rule matches -->
+  <rule id="100400" level="0">
+    <decoded_as>gitea</decoded_as>
+    <description>Gitea event (parent)</description>
+  </rule>
+
+  <!-- Suppress polling/router/HTTP noise so it never reaches the alert log -->
+  <rule id="100401" level="0">
+    <if_sid>100400</if_sid>
+    <match>router: polling</match>
+    <description>Gitea: router polling - suppressed</description>
+  </rule>
+
+  <rule id="100402" level="0">
+    <if_sid>100400</if_sid>
+    <match>router: completed</match>
+    <description>Gitea: router completed request - suppressed</description>
+  </rule>
+
+  <!-- Failed login (matches your real captured line) -->
+  <rule id="100410" level="5">
+    <if_sid>100400</if_sid>
+    <match>Failed authentication attempt</match>
+    <description>Gitea: failed authentication attempt</description>
+    <group>authentication_failed,</group>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+  </rule>
+
+  <!-- Brute force: 5 failures from same source in 2 minutes -->
+  <rule id="100411" level="10" frequency="5" timeframe="120">
+    <if_matched_sid>100410</if_matched_sid>
+    <description>Gitea: possible brute force (5+ failed logins in 2 min)</description>
+    <group>authentication_failures,</group>
+    <mitre>
+      <id>T1110</id>
+    </mitre>
+  </rule>
+
+  <!-- Account lifecycle -->
+  <rule id="100420" level="5">
+    <if_sid>100400</if_sid>
+    <match>new user signed up|created user</match>
+    <description>Gitea: new user account created</description>
+  </rule>
+
+  <rule id="100421" level="7">
+    <if_sid>100400</if_sid>
+    <match>deleted user|DeleteUser</match>
+    <description>Gitea: user account deleted</description>
+  </rule>
+
+  <!-- SSH keys / tokens -->
+  <rule id="100430" level="5">
+    <if_sid>100400</if_sid>
+    <match>add public key|added SSH key|AddPublicKey</match>
+    <description>Gitea: SSH key added to account</description>
+  </rule>
+
+  <rule id="100431" level="3">
+    <if_sid>100400</if_sid>
+    <match>delete public key|deleted SSH key|DeletePublicKey</match>
+    <description>Gitea: SSH key removed from account</description>
+  </rule>
+
+  <rule id="100440" level="5">
+    <if_sid>100400</if_sid>
+    <match>access token|AccessToken</match>
+    <description>Gitea: access token activity</description>
+  </rule>
+
+  <!-- Password reset / recovery -->
+  <rule id="100450" level="5">
+    <if_sid>100400</if_sid>
+    <match>ResetPasswd|recover_account</match>
+    <description>Gitea: password reset / account recovery</description>
+  </rule>
+
+  <!-- Repo operations -->
+  <rule id="100460" level="7">
+    <if_sid>100400</if_sid>
+    <match>repository deleted|DeleteRepository</match>
+    <description>Gitea: repository deleted</description>
+  </rule>
+
+  <!-- 2FA events -->
+  <rule id="100470" level="5">
+    <if_sid>100400</if_sid>
+    <match>TwoFactor|two-factor|TOTP</match>
+    <description>Gitea: 2FA event</description>
+  </rule>
+
+</group>