Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {"id":"cat0","title":"Category 0","description":"This category detects unexpected traffic","rules":[{"id":"3","title":"Malformed message detected","description":"TODO write description for rule# 3","enabled":true,"editable":true,"rule":"\n whenAll: m.operations.anyItem(+item.malformed)\n run: log_alert({\n cat: 'cat0',\n kbid: 1804,\n event: m\n });\n"},{"id":"0","title":"Unknown application context","description":"Triggers an alert if the application context does not belong to known values. Supported knows values are MAP and CAP application contexts","enabled":true,"editable":true,"rule":"\n whenAll: m.application_context.nin(used_map_ac) && m.application_context.nin(used_cap_ac)\n run: log_alert({\n cat: 'unknown_application_context',\n kbid: 1802,\n event: m\n });\n"},{"id":"1","title":"Unknown MAP operation code","description":"Triggers an alert if the operation code does not belong to known values.","enabled":true,"editable":true,"rule":"\n whenAll: m.application_context.in(used_map_ac) && m.operations.anyItem(item.oc.in(unused_map_oc))\n run: log_alert({\n cat: 'unknown_map_opcode',\n kbid: 1803,\n event: m\n });\n"},{"id":"2","title":"Unknown CAP operation code","description":"Triggers an alert if the operation code does not belong to known values.","enabled":true,"editable":true,"rule":"\n whenAll: m.application_context.in(used_cap_ac) && m.operations.anyItem(item.oc.in(unused_cap_oc))\n run: log_alert({\n cat: 'unknown_cap_opcode',\n kbid: 9908,\n event: m\n });\n"},{"id":"4","description":"TODO write description for rule# 4","enabled":true,"editable":true,"rule":"\n whenAll: m.operations.anyItem(item.ipv4src.nin(home_ip_range) && item.cggt.in(home_gt_range))\n run: log_alert({\n cat: 'gt spoofing',\n event: m\n });\n"},{"id":"5","description":"TODO write description for rule# 5","enabled":true,"editable":true,"rule":"\n whenAll: m.operations.anyItem(item.ipv4src.in(home_ip_range) && item.cdgt.nin(home_gt_range))\n run: log_alert({\n cat: 'gt spoofing out',\n event: m\n });\n"},{"id":"6","description":"TODO write description for rule# 6","enabled":true,"editable":true,"rule":"\n whenAll: ~m.application_context && m.operations.anyItem(~item.oc && item.tc == 'Begin')\n run: log_alert({\n cat: 'tcap_scan',\n event: m\n });\n"},{"id":"7","description":"TODO write description for rule# 7","enabled":true,"editable":true,"rule":"\n whenAll: m.application_context.nin([\n shortMsgMT_Relay,\n shortMsgMO_Relay\n ]) && m.operations.anyItem(~item.oc && item.tc == 'Begin')\n run: log_alert({\n cat: 'tcap_scan',\n event: m\n });\n"},{"id":"8","description":"TODO write description for rule# 8","enabled":true,"editable":true,"rule":"\n whenAll: m.ipv4src.nin(home_ip_range) && +m.scmg.message_type\n run: log_alert({\n cat: 'sccp scan?',\n event: m\n });\n"}]}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement