---

<group name="suricata,ids,ot,">

  <!-- Перехватываем FreePBX-родительское правило для Suricata-логов -->
  <rule id="100500" level="5">
    <if_sid>70000</if_sid>
    <match>suricata</match>
    <description>Suricata event captured from pfSense</description>
    <group>suricata,ids,</group>
  </rule>

  <!-- Высокий приоритет: события с нашими SID -->
  <rule id="100501" level="10">
    <if_sid>100500</if_sid>
    <match>1000010</match>
    <description>OT Attack: Unauthorized access to SCADA from non-admin network</description>
    <mitre>
      <id>T1046</id>
      <id>T0846</id>
    </mitre>
    <group>ot_attack,unauthorized_access,</group>
  </rule>

  <!-- Критично: Kali в OT -->
  <rule id="100502" level="12">
    <if_sid>100500</if_sid>
    <match>10.0.20.10</match>
    <description>CRITICAL: Pentester (Kali) attacking OT segment</description>
    <mitre>
      <id>T1046</id>
    </mitre>
    <group>ot_attack,pentest_detected,</group>
  </rule>

  <!-- SID 1000011 - наше правило про Kali в OT -->
  <rule id="100503" level="11">
    <if_sid>100500</if_sid>
    <match>1000011</match>
    <description>OT: Pentester Kali Linux accessing OT network</description>
    <group>ot_attack,pentest_detected,</group>
  </rule>

  <!-- ICMP в OT -->
  <rule id="100504" level="7">
    <if_sid>100500</if_sid>
    <match>1000099</match>
    <description>OT: ICMP probe in monitored network</description>
    <group>recon,</group>
  </rule>

</group>