infosecn1nja
/
HELK
mirror of https://github.com/infosecn1nja/HELK.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HELK/docker/helk-jupyter/notebooks/sigma/cleartext_protocols.ipynb

226 lines
6.1 KiB
Plaintext
Raw Blame History

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Cleartext Protocol Usage\n",
"Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Rule Content\n",
"```\n",
"- action: global\n",
" title: Cleartext Protocol Usage\n",
" id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f\n",
" description: Ensure that all account usernames and authentication credentials are\n",
" transmitted across networks using encrypted channels. Ensure that an encryption\n",
" is used for all sensitive information in transit. Ensure that an encrypted channels\n",
" is used for all administrative account access.\n",
" references:\n",
" - https://www.cisecurity.org/controls/cis-controls-list/\n",
" - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n",
" - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n",
" author: Alexandr Yampolskyi, SOC Prime\n",
" status: stable\n",
" date: 2019/03/26\n",
" falsepositives:\n",
" - unknown\n",
" level: low\n",
" tags:\n",
" - CSC4\n",
" - CSC4.5\n",
" - CSC14\n",
" - CSC14.4\n",
" - CSC16\n",
" - CSC16.5\n",
" - NIST CSF 1.1 PR.AT-2\n",
" - NIST CSF 1.1 PR.MA-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - NIST CSF 1.1 PR.AC-1\n",
" - NIST CSF 1.1 PR.AC-4\n",
" - NIST CSF 1.1 PR.AC-5\n",
" - NIST CSF 1.1 PR.AC-6\n",
" - NIST CSF 1.1 PR.AC-7\n",
" - NIST CSF 1.1 PR.DS-1\n",
" - NIST CSF 1.1 PR.DS-2\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - NIST CSF 1.1 PR.PT-3\n",
" - ISO 27002-2013 A.9.2.1\n",
" - ISO 27002-2013 A.9.2.2\n",
" - ISO 27002-2013 A.9.2.3\n",
" - ISO 27002-2013 A.9.2.4\n",
" - ISO 27002-2013 A.9.2.5\n",
" - ISO 27002-2013 A.9.2.6\n",
" - ISO 27002-2013 A.9.3.1\n",
" - ISO 27002-2013 A.9.4.1\n",
" - ISO 27002-2013 A.9.4.2\n",
" - ISO 27002-2013 A.9.4.3\n",
" - ISO 27002-2013 A.9.4.4\n",
" - ISO 27002-2013 A.8.3.1\n",
" - ISO 27002-2013 A.9.1.1\n",
" - ISO 27002-2013 A.10.1.1\n",
" - PCI DSS 3.2 2.1\n",
" - PCI DSS 3.2 8.1\n",
" - PCI DSS 3.2 8.2\n",
" - PCI DSS 3.2 8.3\n",
" - PCI DSS 3.2 8.7\n",
" - PCI DSS 3.2 8.8\n",
" - PCI DSS 3.2 1.3\n",
" - PCI DSS 3.2 1.4\n",
" - PCI DSS 3.2 4.3\n",
" - PCI DSS 3.2 7.1\n",
" - PCI DSS 3.2 7.2\n",
" - PCI DSS 3.2 7.3\n",
"- logsource:\n",
" product: netflow\n",
" detection:\n",
" selection:\n",
" destination.port:\n",
" - 8080\n",
" - 21\n",
" - 80\n",
" - 23\n",
" - 50000\n",
" - 1521\n",
" - 27017\n",
" - 1433\n",
" - 11211\n",
" - 3306\n",
" - 15672\n",
" - 5900\n",
" - 5901\n",
" - 5902\n",
" - 5903\n",
" - 5904\n",
" condition: selection\n",
"- logsource:\n",
" product: firewall\n",
" detection:\n",
" selection1:\n",
" destination.port:\n",
" - 8080\n",
" - 21\n",
" - 80\n",
" - 23\n",
" - 50000\n",
" - 1521\n",
" - 27017\n",
" - 3306\n",
" - 1433\n",
" - 11211\n",
" - 15672\n",
" - 5900\n",
" - 5901\n",
" - 5902\n",
" - 5903\n",
" - 5904\n",
" selection2:\n",
" action:\n",
" - forward\n",
" - accept\n",
" - 2\n",
" condition: selection1 AND selection2\n",
"\n",
"```"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Querying Elasticsearch"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Import Libraries"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from elasticsearch import Elasticsearch\n",
"from elasticsearch_dsl import Search\n",
"import pandas as pd"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Initialize Elasticsearch client"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Run Elasticsearch Query"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='destination.port:(\"8080\" OR \"21\" OR \"80\" OR \"23\" OR \"50000\" OR \"1521\" OR \"27017\" OR \"1433\" OR \"11211\" OR \"3306\" OR \"15672\" OR \"5900\" OR \"5901\" OR \"5902\" OR \"5903\" OR \"5904\")')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"s = searchContext.query('query_string', query='(destination.port:(\"8080\" OR \"21\" OR \"80\" OR \"23\" OR \"50000\" OR \"1521\" OR \"27017\" OR \"3306\" OR \"1433\" OR \"11211\" OR \"15672\" OR \"5900\" OR \"5901\" OR \"5902\" OR \"5903\" OR \"5904\") AND action:(\"forward\" OR \"accept\" OR \"2\"))')\n",
"response = s.execute()\n",
"if response.success():\n",
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Show Results"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"df.head()"
]
}
],
"metadata": {},
"nbformat": 4,
"nbformat_minor": 4
}
Reference in New Issue View Git Blame Copy Permalink