SIEM Rules

Curious, do people share rules here that they have developed? Based on seen activity or just rules in Dev?

For example, we are working on a C2 rule. We are regexing the IP from the command line when putty or other SSH tools are used to make an external connection.


    $PuttyIP = re.capture ($, `(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`)

    not ($PuttyIP = ""

        or net.ip_in_range_cidr($PuttyIP, "X.X.X.X/X")



  $hostname, $PuttyIP over 1m




Sign In or Register to comment.