https://pastein.ru/t/Guq
Загрузка данных
user@govno:~$ sudo cat /var/ossec/etc/rules/local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<group name="suricata,ids,ot,">
<!-- Перехватываем FreePBX-родительское правило для Suricata-логов -->
<rule id="100500" level="5">
<if_sid>70000</if_sid>
<match>suricata</match>
<description>Suricata event captured from pfSense</description>
<group>suricata,ids,</group>
</rule>
<!-- Высокий приоритет: события с нашими SID -->
<rule id="100501" level="10">
<if_sid>100500</if_sid>
<match>1000010</match>
<description>OT Attack: Unauthorized access to SCADA from non-admin network</description>
<mitre>
<id>T1046</id>
<id>T0846</id>
</mitre>
<group>ot_attack,unauthorized_access,</group>
</rule>
<!-- Критично: Kali в OT -->
<rule id="100502" level="12">
<if_sid>100500</if_sid>
<match>10.0.20.10</match>
<description>CRITICAL: Pentester (Kali) attacking OT segment</description>
<mitre>
<id>T1046</id>
</mitre>
<group>ot_attack,pentest_detected,</group>
</rule>
<!-- SID 1000011 - наше правило про Kali в OT -->
<rule id="100503" level="11">
<if_sid>100500</if_sid>
<match>1000011</match>
<description>OT: Pentester Kali Linux accessing OT network</description>
<group>ot_attack,pentest_detected,</group>
</rule>
<!-- ICMP в OT -->
<rule id="100504" level="7">
<if_sid>100500</if_sid>
<match>1000099</match>
<description>OT: ICMP probe in monitored network</description>
<group>recon,</group>
</rule>
</group>
<group name="sysmon_custom,windows,">
<!-- Базовое правило: ловим любое Sysmon-событие -->
<rule id="100100" level="2">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">Microsoft-Windows-Sysmon</field>
<description>Sysmon: событие получено (EventID $(win.system.eventID))</description>
<group>sysmon,</group>
</rule>
<!-- EventID 1: Process Create -->
<rule id="100101" level="2">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^1$</field>
<description>Sysmon EID 1 - Process Create: $(win.eventdata.image) от пользователя $(win.eventdata.user)</description>
<group>sysmon_event1,process_creation,</group>
</rule>
<!-- EventID 3: Network Connection -->
<rule id="100103" level="4">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^3$</field>
<description>Sysmon EID 3 - Network Connection: $(win.eventdata.image)</description>
<group>sysmon_event3,network,</group>
</rule>
<!-- EventID 7: Image Loaded (загрузка DLL) -->
<rule id="100107" level="3">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^7$</field>
<description>Sysmon EID 7 - Image Loaded: $(win.eventdata.imageLoaded)</description>
<group>sysmon_event7,</group>
</rule>
<!-- EventID 11: File Create -->
<rule id="100111" level="4">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^11$</field>
<description>Sysmon EID 11 - File Created: $(win.eventdata.targetFilename)</description>
<group>sysmon_event11,file_creation,</group>
</rule>
<!-- EventID 13: Registry Value Set -->
<rule id="100113" level="4">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^13$</field>
<description>Sysmon EID 13 - Registry Value Set: $(win.eventdata.targetObject)</description>
<group>sysmon_event13,registry,</group>
</rule>
<!-- EventID 22: DNS Query -->
<rule id="100122" level="3">
<if_sid>100100</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon EID 22 - DNS Query: $(win.eventdata.queryName)</description>
<group>sysmon_event22,dns,</group>
</rule>
<!-- ============ ПРИМЕРЫ ПРАВИЛ ДЛЯ ПОДОЗРИТЕЛЬНОЙ АКТИВНОСТИ ============ -->
<!-- PowerShell запускает cmd.exe или другие подозрительные процессы -->
<rule id="100201" level="10">
<if_sid>100101</if_sid>
<field name="win.eventdata.parentImage">powershell\.exe</field>
<field name="win.eventdata.image">cmd\.exe|whoami\.exe|net\.exe|nslookup\.exe</field>
<description>Подозрительно: PowerShell запустил $(win.eventdata.image)</description>
<group>attack,powershell,</group>
</rule>
<!-- Запуск процесса из временной папки -->
<rule id="100202" level="9">
<if_sid>100101</if_sid>
<field name="win.eventdata.image">\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp</field>
<description>Подозрительно: запуск из временной папки $(win.eventdata.image)</description>
<group>attack,suspicious_process,</group>
</rule>
<!-- Создание исполняемого файла -->
<rule id="100203" level="8">
<if_sid>100111</if_sid>
<field name="win.eventdata.targetFilename">\.exe$|\.dll$|\.ps1$|\.bat$</field>
<description>Создан исполняемый файл: $(win.eventdata.targetFilename)</description>
<group>attack,file_drop,</group>
</rule>
</group>