Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d6d0faf218a593ef8789852a3f1276c16b23ba5a
marcredhat-siem-toolkit-pat…/parsers/LinuxOS-OCSF
T
marc a9dcf48e65 Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
2026-05-22 14:11:56 +02:00

153 lines
4.9 KiB
Plaintext
Raw Blame History

{
// Linux syslog/auditd parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Linux",
"metadata.product.name": "Linux OS",
"metadata.log_provider": "syslog",
"Category": "host",
"dataSource.vendor": "Linux",
"dataSource.name": "Linux OS",
"dataSource.category": "host",
"category_uid": 1,
"category_name": "System Activity",
"class_uid": 1001,
"class_name": "File System Activity",
"activity_id": 0,
"activity_name": "Unknown",
"type_uid": 100100,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational"
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*",
creds: "(mimikatz|hashdump|secretsdump|kerbrute)",
revshell: ".*socket\\.socket.*"
},
formats: [
// SSH failed authentication
{
id: "ssh_failed",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
finding_title: "Linux SSH Authentication Failure",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked"
},
format: ".*Failed password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*",
halt: true
},
// SSH successful authentication
{
id: "ssh_success",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "IAM",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*Accepted password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*",
halt: true
},
// sudo NOT in sudoers (priv-esc attempt)
{
id: "sudo_not_in_sudoers",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
finding_title: "Linux Sudo Not In Sudoers",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*sudo: $user_name=word$ : user NOT in sudoers ; TTY=$tty=word$ ; PWD=$pwd=word$ ; USER=$target_user=word$ ; COMMAND=$process_cmd_line=rest$",
halt: true
},
// useradd — new user account created
{
id: "useradd",
attributes: {
class_uid: 3001, class_name: "Account Change",
category_uid: 3, category_name: "IAM",
activity_id: 1, activity_name: "Create",
type_uid: 300101,
finding_title: "Linux New User Account Created",
severity_id: 4, severity: "High"
},
format: ".*useradd\\[$pid=word$\\]: new user: name=$new_user=word$, UID=$uid=word$, GID=$gid=word$.*",
halt: true
},
// Mimikatz / credential dumping signatures
{
id: "credential_dump",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Linux Credential Dumping Tool",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*$tool=creds$.*",
halt: true
},
// Reverse shell (python -c socket)
{
id: "reverse_shell",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Linux Reverse Shell Execution",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*python$ver=word$ -c $cmd=revshell$.*",
halt: true
},
// Generic auditd EXECVE
{
id: "auditd_execve",
attributes: {
class_uid: 1007, class_name: "Process Activity",
category_uid: 1, category_name: "System Activity",
activity_id: 1, activity_name: "Launch",
type_uid: 100701
},
format: ".*auditd\\[$pid=word$\\]: EXECVE argc=$argc=word$ a0=\"$process_name=word$\" $cmdline=rest$",
halt: true
},
// Cron job executed (suspicious if from /tmp/.hidden)
{
id: "cron_suspicious",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Linux Suspicious Cron Job",
severity_id: 4, severity: "High"
},
format: ".*cron\\[$pid=word$\\]: \\($cron_user=word$\\) CMD \\($cron_cmd=rest$\\)",
halt: true
}
]
}
Reference in New Issue View Git Blame Copy Permalink