vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-02 00:40:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

initial mitre att&ck standardization (#8446)

Browse source 
* added feature sorting flows by protocol

* changed protocols comparison order

* initial commit for bitmap of server ports

* bitmap added to redis

* added debug string, bitmap not working

* Update alerts_list_per_license.rst

* Update alerts_list_per_license.rst

* initial mitre att&ck standardization

* Update ServerPortsBitmap.h

* updated mitre standardization
This commit is contained in:
Luca Ferretti 2024-06-12 15:55:10 +02:00 committed by GitHub
parent a3b5003298
commit 1b3a0ec19a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
106 changed files with 1466 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/lua/modules/alert_definitions/flow/alert_binary_application_transfer.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -22,6 +24,14 @@ alert_binary_application_transfer.meta = {
i18n_title = "flow_risk.ndpi_binary_application_transfer",
icon = "fas fa-fw fa-file-download",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.execution,
mitre_tecnique = mitre.tecnique.user_execution,
mitre_sub_tecnique = mitre.sub_tecnique.malicious_link,
mitre_id = "T1204.001"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_broadcast_non_udp_traffic.lua
View file

@ -11,6 +11,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,13 @@ alert_broadcast_non_udp_traffic.meta = {
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.discovery,
mitre_tecnique = mitre.tecnique.network_service_discovery,
mitre_id = "T1046"
},
-- Default values
default = {
-- Fitlters to be applied on the alert, e.g., cli_port=23

9
scripts/lua/modules/alert_definitions/flow/alert_device_protocol_not_allowed.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -22,6 +24,13 @@ alert_device_protocol_not_allowed.meta = {
i18n_title = "alerts_dashboard.suspicious_device_protocol",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.app_layer_proto,
mitre_id = "T1071"
},
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_dns_data_exfiltration.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_dns_data_exfiltration.meta = {
i18n_title = "flow_details.dns_data_exfiltration",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.exfiltration,
mitre_tecnique = mitre.tecnique.exfiltration_over_alt_proto,
mitre_id = "T1048"
},
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_dns_invalid_query.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_dns_invalid_query.meta = {
i18n_title = "flow_details.dns_invalid_query",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.dynamic_resolution,
mitre_sub_tecnique = mitre.sub_tecnique.dns_calculation,
mitre_id = "T1568.003"
},
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_elephant_flow.lua
View file

@ -13,6 +13,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local json = require "dkjson"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,14 @@ alert_elephant_flow.meta = {
alert_key = flow_alert_keys.flow_alert_elephant_flow,
i18n_title = "flow_details.elephant_flow",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.collection,
mitre_tecnique = mitre.tecnique.data_from_conf_repo,
mitre_sub_tecnique = mitre.sub_tecnique.network_device_conf_dump,
mitre_ID = "T1602.002"
},
}
-- #######################################################

9
scripts/lua/modules/alert_definitions/flow/alert_flow_low_goodput.lua
View file

@ -11,6 +11,8 @@ local format_utils = require("format_utils")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -22,6 +24,13 @@ alert_flow_low_goodput.meta = {
alert_key = flow_alert_keys.flow_alert_low_goodput,
i18n_title = "alerts_dashboard.flow_low_goodput",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.endpoint_ddos,
mitre_id = "T1499"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_flow_tcp_no_data_exchanged.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_tcp_no_data_exchanged.meta = {
alert_key = flow_alert_keys.flow_alert_tcp_no_data_exchanged,
i18n_title = "flow_alerts_explorer.alert_tcp_no_data_exchanged_title",
icon = "fas fa-fw fa-arrow-circle-up",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.discovery,
mitre_tecnique = mitre.tecnique.network_service_discovery,
mitre_id = "T1046"
},
}
-- ##############################################

11
scripts/lua/modules/alert_definitions/flow/alert_iec_invalid_command_transition.lua
View file

@ -11,7 +11,8 @@ local format_utils = require "format_utils"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +24,14 @@ alert_iec_invalid_command_transition.meta = {
alert_key = flow_alert_keys.flow_alert_iec_invalid_command_transition,
i18n_title = "flow_checks.iec104_command_title",
icon = "fas fa-fw fa-subway",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.data_manipulation,
mitre_id = "T1565"
},
}
-- ##############################################

12
scripts/lua/modules/alert_definitions/flow/alert_iec_invalid_transition.lua
View file

@ -11,7 +11,10 @@ local format_utils = require "format_utils"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +26,13 @@ alert_iec_invalid_transition.meta = {
alert_key = flow_alert_keys.flow_alert_iec_invalid_transition,
i18n_title = "flow_checks.iec104_title",
icon = "fas fa-fw fa-subway",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.data_manipulation,
mitre_id = "T1565"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_iec_unexpected_type_id.lua
View file

@ -11,7 +11,8 @@ local format_utils = require "format_utils"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +24,13 @@ alert_iec_unexpected_type_id.meta = {
alert_key = flow_alert_keys.flow_alert_iec_unexpected_type_id,
i18n_title = "flow_checks.iec104_unexpected_type_id_title",
icon = "fas fa-fw fa-subway",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.data_manipulation,
mitre_id = "T1565"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_known_proto_on_non_std_port.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -22,6 +24,13 @@ alert_known_proto_on_non_std_port.meta = {
i18n_title = "alerts_dashboard.known_proto_on_non_std_port",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.nont_std_port,
mitre_id = "T1571"
},
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_lateral_movement.lua
View file

@ -10,6 +10,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local json = require "dkjson"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_lateral_movement.meta = {
alert_key = flow_alert_keys.flow_alert_lateral_movement,
i18n_title = "alerts_dashboard.lateral_movement",
icon = "fas fa-fw fa-arrows-alt-h",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.lateral_movement,
mitre_id = "TA0008"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_longlived.lua
View file

@ -10,6 +10,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local json = require "dkjson"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_longlived.meta = {
alert_key = flow_alert_keys.flow_alert_longlived,
i18n_title = "flow_details.longlived_flow",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.collection,
mitre_tecnique = mitre.tecnique.data_from_net_shared_driver,
mitre_id = "T1039"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_modbus_invalid_transition.lua
View file

@ -11,7 +11,8 @@ local format_utils = require "format_utils"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +24,13 @@ alert_modbus_invalid_transition.meta = {
alert_key = flow_alert_keys.flow_alert_modbus_invalid_transition,
i18n_title = "flow_checks.modbus_invalid_transition",
icon = "fas fa-fw fa-subway",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.data_manipulation,
mitre_id = "T1565"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_modbus_too_many_exceptions.lua
View file

@ -11,7 +11,8 @@ local format_utils = require "format_utils"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +24,13 @@ alert_modbus_too_many_exceptions.meta = {
alert_key = flow_alert_keys.flow_alert_modbus_too_many_exceptions,
i18n_title = "flow_checks.modbus_too_many_exceptions",
icon = "fas fa-fw fa-subway",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.data_manipulation,
mitre_id = "T1565"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_modbus_unexpected_function_code.lua
View file

@ -11,7 +11,8 @@ local format_utils = require "format_utils"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +24,13 @@ alert_modbus_unexpected_function_code.meta = {
alert_key = flow_alert_keys.flow_alert_modbus_unexpected_function_code,
i18n_title = "flow_checks.modbus_invalid_function_code",
icon = "fas fa-fw fa-subway",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.data_manipulation,
mitre_id = "T1565"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_anonymous_subscriber.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_anonymous_subscriber.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_anonymous_subscriber,
i18n_title = "flow_risk.ndpi_anonymous_subscriber",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.indicator_removal,
mitre_tecnique = mitre.tecnique.data_from_conf_repo,
mitre_id = "T1070"
},
}
-- ##############################################

8
scripts/lua/modules/alert_definitions/flow/alert_ndpi_clear_text_credentials.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,12 @@ alert_clear_text_credentials.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_clear_text_credentials,
i18n_title = "flow_risk.ndpi_clear_text_credentials",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.os_credential_dump,
mitre_tecnique = mitre.tecnique.data_from_conf_repo,
mitre_id = "T1003"},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_desktop_or_file_sharing_session.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_desktop_or_file_sharing_session.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_desktop_or_file_sharing_session,
i18n_title = "flow_checks_config.desktop_or_file_sharing_session",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.lateral_movement,
mitre_tecnique = mitre.tecnique.lateral_tool_transfer,
mitre_id = "T1570"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_dns_fragmented.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_ndpi_dns_fragmented.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_dns_fragmented,
i18n_title = "flow_risk.ndpi_dns_fragmented",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.search_open_tech_db,
mitre_sub_tecnique = mitre.sub_tecnique.dns_passive_dns,
mitre_id = "T1596.001"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_dns_invalid_characters.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_dns_invalid_characters.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_invalid_characters,
i18n_title = "flow_risk.ndpi_invalid_characters",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.adversary_in_the_middle,
mitre_id = "T1557"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_dns_large_packet.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_ndpi_dns_large_packet.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_dns_large_packet,
i18n_title = "flow_risk.ndpi_dns_large_packet",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.search_open_tech_db,
mitre_sub_tecnique = mitre.sub_tecnique.dns_passive_dns,
mitre_id = "T1596.001"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_dns_suspicious_traffic.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_dns_suspicious_traffic.meta = {
i18n_title = "alerts_dashboard.ndpi_dns_suspicious_traffic_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.resource_hijacking,
mitre_id = "T1496.001"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_error_code.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_error_code_detected.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_error_code_detected,
i18n_title = "flow_risk.ndpi_error_code_detected",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.endpoint_ddos,
mitre_id = "T1499"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_crawler_bot.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_ndpi_http_crawler_bot.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_crawler_bot,
i18n_title = "flow_risk.ndpi_http_crawler_bot",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.search_open_tech_db,
mitre_sub_tecnique = mitre.sub_tecnique.wordlist_scanning,
mitre_id = "T1595.003"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_obsolete_server.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_http_obsolete_server.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_obsolete_server,
i18n_title = "flow_checks_config.http_obsolete_server",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.content_injection,
mitre_id = "T1659"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_content.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_http_suspicious_content.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_suspicious_content,
i18n_title = "flow_risk.ndpi_http_suspicious_content",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.defense_evasion,
mitre_tecnique = mitre.tecnique.obfuscated_files_info,
mitre_id = "T1027"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_header.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_http_suspicious_header.meta = {
i18n_title = "flow_risk.ndpi_http_suspicious_header",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.persistence,
mitre_tecnique = mitre.tecnique.server_software_component,
mitre_id = "T1505"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_url.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_http_suspicious_url.meta = {
i18n_title = "flow_risk.ndpi_http_suspicious_url",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.drive_by_compr,
mitre_id = "T1189"
},
has_victim = true,
has_attacker = true,
}

12
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_user_agent.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,7 +22,15 @@ alert_ndpi_http_suspicious_user_agent.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_suspicious_user_agent,
i18n_title = "flow_risk.ndpi_http_suspicious_user_agent",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.app_layer_proto,
mitre_sub_tecnique = mitre.sub_tecnique.web_proto,
mitre_id = "T1071.001"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_malformed_packet.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_malformed_packet.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_malformed_packet,
i18n_title = "flow_risk.ndpi_malformed_packet",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.persistence,
mitre_tecnique = mitre.tecnique.traffic_signaling,
mitre_id = "T1205"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_malicious_ja3.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_malicious_ja3.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_malicious_ja3,
i18n_title = "flow_checks_config.malicious_ja3",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.content_injection,
mitre_id = "T1659"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_malware_host_contacted.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_ndpi_malware_host_contacted.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_malware_host_contacted,
i18n_title = "flow_checks_config.ndpi_malware_host_contacted",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.phishing_info,
mitre_sub_tecnique = mitre.sub_tecnique.spearphishing_service,
mitre_id = "T1598.001"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_numeric_ip_host.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_numeric_ip_host.meta = {
i18n_title = "flow_risk.ndpi_http_numeric_ip_host",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.defense_evasion,
mitre_tecnique = mitre.tecnique.indicator_removal,
mitre_id = "T1070"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_periodic_flow.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_periodic_flow.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_periodic_flow,
i18n_title = "flow_checks_config.ndpi_periodic_flow",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.exfiltration,
mitre_tecnique = mitre.tecnique.exfiltration_over_c2_channel,
mitre_id = "T1029"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_possible_exploit.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_possible_exploit.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_possible_exploit,
i18n_title = "flow_risk.ndpi_possible_exploit",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.exploit_pub_facing_app,
mitre_id = "T1190"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_punicody_idn.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_ndpi_punicody_idn.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_punicody_idn,
i18n_title = "flow_risk.ndpi_punicody_idn",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.phishing,
mitre_sub_tecnique = mitre.sub_tecnique.spearphishing_link,
mitre_id = "T1566.002"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_risky_asn.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_risky_asn.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_risky_asn,
i18n_title = "flow_checks_config.risky_asn",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.discovery,
mitre_tecnique = mitre.tecnique.network_service_discovery,
mitre_id = "T1018"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_risky_domain.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_risky_domain.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_risky_domain,
i18n_title = "flow_checks_config.risky_domain",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.phishing,
mitre_id = "T1566"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_smb_insecure_version.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_ndpi_smb_insecure_version.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_smb_insecure_version,
i18n_title = "flow_risk.ndpi_smb_insecure_version",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.lateral_movement,
mitre_tecnique = mitre.tecnique.remote_services,
mitre_sub_tecnique = mitre.sub_tecnique.smb_windows_admin_share,
mitre_id = "T1021.002"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_ssh_obsolete_client.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_ndpi_ssh_obsolete_client.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_ssh_obsolete_client,
i18n_title = "flow_risk.ndpi_ssh_obsolete_client_version_or_cipher",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.lateral_movement,
mitre_tecnique = mitre.tecnique.remote_services,
mitre_sub_tecnique = mitre.sub_tecnique.ssh,
mitre_id = "T1021.004"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_ssh_obsolete_server.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_ssh_obsolete_server.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_ssh_obsolete_server,
i18n_title = "alerts_dashboard.ndpi_ssh_obsolete_server_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.execution,
mitre_tecnique = mitre.tecnique.exploitation_client_exec,
mitre_id = "T1203"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_suspicious_dga_domain.lua
View file

@ -7,6 +7,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -19,6 +21,14 @@ alert_ndpi_suspicious_dga_domain.meta = {
i18n_title = "alerts_dashboard.ndpi_suspicious_dga_domain_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.dynamic_resolution,
mitre_sub_tecnique = mitre.sub_tecnique.domain_generation_algorithms,
mitre_id = "T1568.002"
},
-- A compromised host can do DGA domain requests. A compromised host can be:
-- 1. 'victim' as it is compromised
-- 2. 'attacker' as it can do malicious activities due to the fact that it has been compromised

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_suspicious_entropy.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_suspicious_entropy.meta = {
i18n_title = "flow_risk.ndpi_suspicious_entropy",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.defense_evasion,
mitre_tecnique = mitre.tecnique.obfuscated_files_info,
mitre_id = "T1027"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_cert_validity_too_long.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_tls_cert_validity_too_long.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_cert_validity_too_long,
i18n_title = "alerts_dashboard.ndpi_tls_cert_validity_too_long_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.defense_evasion,
mitre_tecnique = mitre.tecnique.impair_defenses,
mitre_id = "T1562"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_certificate_about_to_expire.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_tls_certificate_about_to_expire.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_certificate_about_to_expire,
i18n_title = "flow_risk.ndpi_tls_certificate_about_to_expire",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.valid_account,
mitre_id = "T1078"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_fatal_alert.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_tls_fatal_alert.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_fatal_alert,
i18n_title = "flow_checks_config.tls_fatal_alert",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.adversary_in_the_middle,
mitre_id = "T1557"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_missing_sni.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_tls_missing_sni.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_missing_sni,
i18n_title = "flow_risk.ndpi_tls_missing_sni",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.proxy,
mitre_id = "T1090"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_not_carrying_https.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,14 @@ alert_ndpi_tls_not_carrying_https.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_not_carrying_https,
i18n_title = "flow_risk.ndpi_tls_not_carrying_https",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.data_obfuscation,
mitre_sub_tecnique = mitre.sub_tecnique.protocol_impersonation,
mitre_id = "T1001.003"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_old_protocol_version.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_ndpi_tls_old_protocol_version.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_old_protocol_version,
i18n_title = "flow_details.tls_old_protocol_version",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.execution,
mitre_tecnique = mitre.tecnique.exploitation_client_exec,
mitre_id = "T1203"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_suspicious_esni_usage.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_ndpi_tls_suspicious_esni_usage.meta = {
i18n_title = "alerts_dashboard.ndpi_tls_suspicious_esni_usage_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.proxy,
mitre_sub_tecnique = mitre.sub_tecnique.domain_fronting,
mitre_id = "T1090.004"
},
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_suspicious_extension.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_ndpi_tls_suspicious_extension.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_suspicious_extension,
i18n_title = "flow_checks_config.tls_suspicious_extension",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.data_obfuscation,
mitre_sub_tecnique = mitre.sub_tecnique.protocol_impersonation,
mitre_id = "T1001.003"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_uncommon_alpn.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_tls_uncommon_alpn.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_uncommon_alpn,
i18n_title = "flow_checks_config.tls_uncommon_alpn",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.discovery,
mitre_tecnique = mitre.tecnique.remote_system_discovery,
mitre_id = "T1018"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_ndpi_unidirectional_traffic.lua
View file

@ -10,6 +10,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_unidirectional_traffic.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_unidirectional_traffic,
i18n_title = "flow_details.unidirectional_traffic",
icon = "fas fa-fw fa-info-circle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.web_service,
mitre_sub_tecnique = mitre.sub_tecnique.one_way_communication,
mitre_id = "T1102.003"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_unsafe_protocol.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_unsafe_protocol.meta = {
i18n_title = "alerts_dashboard.ndpi_unsafe_protocol_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.forced_authentication,
mitre_id = "T1187"
},
has_attacker = true,
}

8
scripts/lua/modules/alert_definitions/flow/alert_ndpi_url_possible_rce_injection.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,12 @@ alert_ndpi_url_possible_rce_injection.meta = {
i18n_title = "alerts_dashboard.ndpi_url_possible_rce_injection_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.execution,
mitre_id = "TA0002"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_url_possible_sql_injection.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_url_possible_sql_injection.meta = {
i18n_title = "alerts_dashboard.ndpi_url_possible_sql_injection_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.exploit_pub_facing_app,
mitre_id = "T1190"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_ndpi_url_possible_xss.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_ndpi_url_possible_xss.meta = {
i18n_title = "alerts_dashboard.ndpi_url_possible_xss_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.steal_web_session_cookie,
mitre_id = "T1539"
},
has_victim = true,
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_periodicity_changed.lua
View file

@ -10,6 +10,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local json = require "dkjson"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_periodicity_changed.meta = {
alert_key = flow_alert_keys.flow_alert_periodicity_changed,
i18n_title = "alerts_dashboard.alert_periodicity_update",
icon = "fas fa-fw fa-arrows-alt-h",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.exfiltration,
mitre_tecnique = mitre.tecnique.scheduled_tranfer,
mitre_id = "T1029"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_rare_destination.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_rare_destination.meta = {
alert_key = flow_alert_keys.flow_alert_rare_destination,
i18n_title = "flow_checks_config.rare_destination",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.dynamic_resolution,
mitre_id = "T1568"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_remote_access.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- require "lua_utils"
@ -22,6 +24,13 @@ alert_remote_access.meta = {
alert_key = flow_alert_keys.flow_alert_remote_access,
i18n_title = "alerts_dashboard.remote_access_title",
icon = "fas fa-fw fa-info",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.ext_remote_services,
mitre_id = "T1133"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/flow/alert_remote_to_local_insecure_flow.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,14 @@ alert_remote_to_local_insecure_flow.meta = {
i18n_title = "flow_checks_config.remote_to_local_insecure_flow_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.lateral_movement,
mitre_tecnique = mitre.tecnique.remote_services,
mitre_sub_tecnique = mitre.sub_tecnique.remote_desktop_proto,
mitre_id = "T1021.001"
},
has_victim = true,
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_remote_to_remote.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +25,14 @@ alert_remote_to_remote.meta = {
alert_key = flow_alert_keys.flow_alert_remote_to_remote,
i18n_title = "flow_checks_config.remote_to_remote",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.lateral_movement,
mitre_tecnique = mitre.tecnique.session_hijacking,
mitre_sub_tecnique = mitre.sub_tecnique.rdp_hijacking,
mitre_id = "T1563.002"
},
}
-- ##############################################

16
scripts/lua/modules/alert_definitions/flow/alert_tcp_connection_no_answer.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -17,9 +19,17 @@ local alert_tcp_connection_no_answer = classes.class(alert)
-- ##############################################
alert_tcp_connection_no_answer.meta = {
alert_key = flow_alert_keys.flow_alert_connection_failed,
i18n_title = "flow_checks_config.tcp_connection_no_answer_title",
icon = "fas fa-fw fa-exclamation",
alert_key = flow_alert_keys.flow_alert_connection_failed,
i18n_title = "flow_checks_config.tcp_connection_no_answer_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.persistence,
mitre_tecnique = mitre.tecnique.traffic_signaling,
mitre_sub_tecnique = mitre.sub_tecnique.port_knocking,
mitre_id = "T1205.001"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_tcp_connection_refused.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_tcp_connection_refused.meta = {
alert_key = flow_alert_keys.flow_alert_tcp_connection_refused,
i18n_title = "flow_checks_config.tcp_connection_refused",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.discovery,
mitre_tecnique = mitre.tecnique.network_service_discovery,
mitre_id = "T1046"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_tcp_flow_reset.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
local format_utils = require "format_utils"
@ -22,6 +24,13 @@ alert_tcp_flow_reset.meta = {
alert_key = flow_alert_keys.flow_alert_tcp_flow_reset,
i18n_title = "flow_checks_config.flow_reset_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.endpoint_ddos,
mitre_id = "T1499"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_tls_certificate_expired.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_tls_certificate_expired.meta = {
alert_key = flow_alert_keys.flow_alert_tls_certificate_expired,
i18n_title = "flow_details.tls_certificate_expired",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.valid_accounts,
mitre_id = "T1078"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_tls_certificate_mismatch.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_tls_certificate_mismatch.meta = {
alert_key = flow_alert_keys.flow_alert_tls_certificate_mismatch,
i18n_title = "flow_details.tls_certificate_mismatch",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.defense_evasion,
mitre_tecnique = mitre.tecnique.indicator_removal,
mitre_id = "T1070"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_tls_certificate_selfsigned.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_tls_certificate_selfsigned.meta = {
alert_key = flow_alert_keys.flow_alert_tls_certificate_selfsigned,
i18n_title = "flow_details.tls_certificate_selfsigned",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.adversary_in_the_middle,
mitre_id = "T1557"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_tls_unsafe_ciphers.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_tls_unsafe_ciphers.meta = {
alert_key = flow_alert_keys.flow_alert_tls_unsafe_ciphers,
i18n_title = "flow_details.tls_unsafe_ciphers",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.encrypted_channel,
mitre_id = "T1573"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_unexpected_dhcp_server.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,13 @@ alert_unexpected_dhcp_server.meta = {
i18n_title = "flow_alerts_explorer.alert_unexpected_dhcp_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.defense_evasion,
mitre_tecnique = mitre.tecnique.rogue_domain_controller,
mitre_id = "T1207"
},
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_unexpected_dns_server.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_unexpected_dns_server.meta = {
i18n_title = "flow_alerts_explorer.alert_unexpected_dns_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.app_layer_proto,
mitre_sub_tecnique = mitre.sub_tecnique.dns,
mitre_id = "T1071.004"
},
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_unexpected_ntp_server.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_unexpected_ntp_server.meta = {
i18n_title = "flow_alerts_explorer.alert_unexpected_ntp_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_sub_tecnique = mitre.sub_tecnique.reflection_amplification,
mitre_id = "T1498.002"
},
has_attacker = true,
}

10
scripts/lua/modules/alert_definitions/flow/alert_unexpected_smtp_server.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -21,6 +23,14 @@ alert_unexpected_smtp_server.meta = {
i18n_title = "flow_alerts_explorer.alert_unexpected_smtp_title",
icon = "fas fa-fw fa-exclamation",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.app_layer_proto,
mitre_sub_tecnique = mitre.sub_tecnique.mail_protocol,
mitre_id = "T1071.003"
},
has_attacker = true,
}

9
scripts/lua/modules/alert_definitions/flow/alert_web_mining.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_web_mining.meta = {
alert_key = flow_alert_keys.flow_alert_web_mining,
i18n_title = "alerts_dashboard.web_mining",
icon = "fab fa-bitcoin",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.resource_hijacking,
mitre_id = "T1496"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/flow/alert_zero_tcp_window.lua
View file

@ -9,6 +9,8 @@ local flow_alert_keys = require "flow_alert_keys"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -20,6 +22,13 @@ alert_zero_tcp_window.meta = {
alert_key = flow_alert_keys.flow_alert_zero_tcp_window,
i18n_title = "flow_alerts_explorer.alert_zero_tcp_window_title",
icon = "fas fa-fw fa-arrow-circle-up",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.endpoint_ddos,
mitre_id = "T1499"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/host/host_alert_countries_contacts.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +25,14 @@ host_alert_countries_contacts.meta = {
alert_key = host_alert_keys.host_alert_countries_contacts,
i18n_title = "alerts_dashboard.host_alert_countries_contacts",
icon = "fas fa-fw fa-life-ring",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.web_service,
mitre_id = "T1102"
},
has_victim = true,
}

9
scripts/lua/modules/alert_definitions/host/host_alert_dangerous_host.lua
View file

@ -12,6 +12,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +25,13 @@ host_alert_dangerous_host.meta = {
alert_key = host_alert_keys.host_alert_dangerous_host,
i18n_title = "alerts_dashboard.dangerous_host_title",
icon = "fas fa-exclamation-triangle",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.exfiltration,
mitre_tecnique = mitre.tecnique.exfiltration_over_c2_channel,
mitre_id = "T1041"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/host/host_alert_dns_flood.lua
View file

@ -13,6 +13,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,14 @@ host_alert_dns_flood.meta = {
i18n_title = "alerts_dashboard.dns_flood",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_sub_tecnique = mitre.sub_tecnique.reflection_amplification,
mitre_id = "T1498.002"
},
}
-- ##############################################

11
scripts/lua/modules/alert_definitions/host/host_alert_dns_server_contacts.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,15 @@ host_alert_dns_server_contacts.meta = {
i18n_title = "alerts_thresholds_config.dns_traffic",
icon = "fas fa-fw fa-life-ring",
has_victim = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.app_layer_proto,
mitre_sub_tecnique = mitre.sub_tecnique.dns,
mitre_id = "T1071.004"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_domain_names_contacts.lua
View file

@ -10,6 +10,8 @@ local json = require("dkjson")
local classes = require "classes"
--Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
--##############################################
@ -22,6 +24,13 @@ alert_key = host_alert_keys.host_alert_domain_names_contacts,
i18n_title = "alerts_thresholds_config.domain_names_contacts_title",
icon = "fas fa-fw fa-arrow-circle-up",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.proxy,
mitre_sub_tecnique = mitre.sub_tecnique.external_proxy,
mitre_id = "T1090.002"
},
}
--##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,13 @@ host_alert_flow_anomaly.meta = {
i18n_title = "alerts_dashboard.flow_anomaly",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.exfiltration,
mitre_tecnique = mitre.tecnique.exfiltration_over_alt_proto,
mitre_id = "T1048"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_flow_flood.lua
View file

@ -13,6 +13,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,13 @@ host_alert_flow_flood.meta = {
i18n_title = "alerts_dashboard.flow_flood",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_id = "T1498"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_icmp_flood.lua
View file

@ -13,6 +13,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,13 @@ host_alert_icmp_flood.meta = {
i18n_title = "alerts_dashboard.icmp_flood",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_sub_tecnique = mitre.sub_tecnique.direct_network_flood,
mitre_id = "T1498.001"},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/host/host_alert_ntp_server_contacts.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,14 @@ host_alert_ntp_server_contacts.meta = {
i18n_title = "alerts_dashboard.host_alert_ntp_server_contacts",
icon = "fas fa-fw fa-life-ring",
has_victim = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_sub_tecnique = mitre.sub_tecnique.reflection_amplification,
mitre_id = "T1498.002"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_remote_connection.lua
View file

@ -11,6 +11,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -22,6 +24,13 @@ host_alert_remote_connection.meta = {
alert_key = host_alert_keys.host_alert_remote_connection,
i18n_title = "alerts_dashboard.remote_connection_title",
icon = "fas fa-fw fa-info",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.persistence,
mitre_tecnique = mitre.tecnique.ext_remote_services,
mitre_id = "T1133"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_scan_detected.lua
View file

@ -12,6 +12,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,13 @@ host_alert_scan_detected.meta = {
i18n_title = "alerts_dashboard.scan_detected",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.active_scanning,
mitre_id = "T1595"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_server_ports_contacts.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +25,13 @@ host_alert_server_ports_contacts.meta = {
alert_key = host_alert_keys.host_alert_server_ports_contacts,
i18n_title = "alerts_dashboard.host_alert_server_ports_contacts",
icon = "fas fa-fw fa-life-ring",
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.initial_access,
mitre_tecnique = mitre.tecnique.ext_remote_services,
mitre_id = "T1133"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/host/host_alert_smtp_server_contacts.lua
View file

@ -12,6 +12,8 @@ local json = require("dkjson")
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,14 @@ host_alert_smtp_server_contacts.meta = {
i18n_title = "alerts_dashboard.host_alert_smtp_server_contacts",
icon = "fas fa-fw fa-life-ring",
has_victim = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.app_layer_proto,
mitre_sub_tecnique = mitre.sub_tecnique.mail_protocol,
mitre_id = "T1071.003"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/host/host_alert_snmp_flood.lua
View file

@ -13,6 +13,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,14 @@ host_alert_snmp_flood.meta = {
i18n_title = "alerts_dashboard.snmp_flood",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_sub_tecnique = mitre.sub_tecnique.direct_network_flood,
mitre_id = "T1498.001"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_tcp_fin_scan.lua
View file

@ -12,6 +12,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,13 @@ host_alert_tcp_fin_scan.meta = {
i18n_title = "alerts_dashboard.tcp_fin_scan",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.active_scanning,
mitre_id = "T1595"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_tcp_rst_scan.lua
View file

@ -11,6 +11,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -23,6 +25,13 @@ host_alert_tcp_rst_scan.meta = {
i18n_title = "alerts_dashboard.tcp_rst_scan",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.active_scanning,
mitre_id = "T1595"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/host/host_alert_tcp_syn_flood.lua
View file

@ -13,6 +13,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,14 @@ host_alert_tcp_syn_flood.meta = {
i18n_title = "alerts_dashboard.tcp_syn_flood",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.impact,
mitre_tecnique = mitre.tecnique.network_ddos,
mitre_sub_tecnique = mitre.sub_tecnique.direct_network_flood,
mitre_id = "T1498.001"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/host/host_alert_tcp_syn_scan.lua
View file

@ -12,6 +12,8 @@ local alert_creators = require "alert_creators"
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,13 @@ host_alert_tcp_syn_scan.meta = {
i18n_title = "alerts_dashboard.tcp_syn_scan",
icon = "fas fa-fw fa-life-ring",
has_attacker = true,
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.active_scanning,
mitre_id = "T1595"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/other/alert_broadcast_domain_too_large.lua
View file

@ -10,6 +10,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local alert_entities = require "alert_entities"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,13 @@ alert_broadcast_domain_too_large.meta = {
entities = {
alert_entities.mac
},
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.discovery,
mitre_tecnique = mitre.tecnique.system_network_conf_discovery,
mitre_id = "T1016"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/other/alert_dhcp_storm.lua
View file

@ -11,6 +11,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local alert_entities = require "alert_entities"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -25,6 +27,14 @@ alert_dhcp_storm.meta = {
entities = {
alert_entities.interface,
},
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.adversary_in_the_middle,
mitre_sub_tecnique = mitre.sub_tecnique.dhcp_spoofing,
mitre_id = "T1557.003"
},
}
-- ##############################################

9
scripts/lua/modules/alert_definitions/other/alert_ghost_network.lua
View file

@ -11,6 +11,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local alert_entities = require "alert_entities"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -26,6 +28,13 @@ alert_ghost_network.meta = {
alert_entities.interface,
alert_entities.network
},
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.c_and_c,
mitre_tecnique = mitre.tecnique.hide_infrastructure,
mitre_id = "T1665"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/other/alert_mac_ip_association_change.lua
View file

@ -10,6 +10,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local alert_entities = require "alert_entities"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,14 @@ alert_mac_ip_association_change.meta = {
entities = {
alert_entities.mac
},
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.credential_access,
mitre_tecnique = mitre.tecnique.adversary_in_the_middle,
mitre_sub_tecnique = mitre.sub_tecnique.arp_cache_poisoning,
mitre_id = "T1557.002"
},
}
-- ##############################################

10
scripts/lua/modules/alert_definitions/other/alert_network_discovery_executed.lua
View file

@ -10,6 +10,8 @@ local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
local alert_entities = require "alert_entities"
-- Import Mitre Att&ck utils
local mitre = require "mitre_utils"
-- ##############################################
@ -24,6 +26,14 @@ alert_network_discovery_executed.meta = {
entities = {
alert_entities.interface
},
-- Mitre Att&ck Matrix values
mitre_values = {
mitre_tactic = mitre.tactic.reconnaissance,
mitre_tecnique = mitre.tecnique.gather_victim_net_info,
mitre_sub_tecnique = mitre.sub_tecnique.network_topology,
mitre_ID = "T1590.004"
},
}
-- ##############################################

Some files were not shown because too many files have changed in this diff Show more