Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rebase] Add rules and decoder for filezilla (Branch: 3.13-filezilla)(Issue: #216) #676

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[Rebase] Add rules and decoder for filezilla (Branch: 3.13-filezilla)(Issue: #216) #676

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ef3c48a
Create 0505-filezilla_decoders.xml
eliasgrana Apr 7, 2020
b4ad0cb
Create 0695-filezilla_rules.xml
eliasgrana Apr 7, 2020
e3a1756
Create filezilla.ini
eliasgrana Apr 7, 2020
5c17eaa
compliances_others
May 22, 2020
1787517
fix
May 22, 2020
21aaffb
Update CHANGELOG.md
May 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
Create 0695-filezilla_rules.xml
  • Loading branch information
@eliasgrana
eliasgrana authored and root committed May 22, 2020
commit b4ad0cb669da396ba2d3cdaa4a7dcf2fb53b944c
112 changes: 112 additions & 0 deletions rules/0695-filezilla_rules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
<!--
- Filezilla rules
- Created by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->

<!-- ID: 90100 - 90149 -->

<group name="windows,windows_filezilla,">

<rule id="90100" level="0">
<decoded_as>filezilla</decoded_as>
<description>Grouping for the filezilla rules.</description>
</rule>

<!--
- Failed login,
- multiple failed login and
- banned temporaly for too many failed logins
-->

<rule id="90101" level="0">
<if_sid>90100</if_sid>
<match>530</match>
<description>Failed login in FTP</description>
<group>authentication_failed,access_denied,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>

<rule id="90102" level="10" frequency="8" timeframe="180">
<if_sid>90100</if_sid>
<if_matched_sid>90101</if_matched_sid>
<description>Multiple failed logins in a small period of time.</description>
<group>authentication_failed,access_denied,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>

<rule id="90103" level="10">
<if_sid>90100</if_sid>
<match>421 Temporarily banned for too many failed login attempts</match>
<description>Temporarily banned for too many failed login attempts</description>
<group>authentication_failed,access_denied,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
</rule>

<!--
- Action not allowed,
- multiple actions not allowed
-->

<rule id="90104" level="3">
<if_sid>90100</if_sid>
<match>550 Permission denied</match>
<description>Permission denied</description>
</rule>

<rule id="90105" level="3">
<if_sid>90100</if_sid>
<match>550 Can't create directory. Permission denied</match>
<description>Permission denied</description>
</rule>

<rule id="90106" level="10" frequency="10" timeframe="180">
<if_sid>90100</if_sid>
<if_matched_sid>90104</if_matched_sid>
<description>Multiple action not allowed in a small period of time.</description>
</rule>

<!--
- IP not allowed to connect to the user
-->

<rule id="90107" level="3">
<if_sid>90100</if_sid>
<match>521</match>
<description>This user is not allowed to connect from this IP</description>
</rule>

<!--
- Directory created,
- file transferred
-->

<rule id="90108" level="0">
<if_sid>90100</if_sid>
<match>MKD</match>
<description>Directory created via FTP</description>
</rule>

<rule id="90109" level="0">
<if_sid>90100</if_sid>
<match>226 Successfully transferred</match>
<description>File transferred via FTP</description>
</rule>

<!--
- Logged on,
- timed out
-->

<rule id="90112" level="0">
<if_sid>90100</if_sid>
<match>230 Logged on</match>
<description>Logged on via FTP</description>
</rule>

<rule id="90113" level="0">
<if_sid>90100</if_sid>
<match>421 Connection timed out</match>
<description>User disconnected due to time out.</description>
<group>pci_dss_8.1.5,gdpr_IV_35.7.d,</group>
</rule>

</group>