Joren/Barracuda_CGFW_Wazuh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add rules.xml

Browse Source
This commit is contained in:
Joren
2025-05-16 10:26:18 +02:00
parent 731eeed1c2
commit 87168d66ea
1 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
rules.xml Normal file
View File

@@ -0,0 +1,73 @@
<!-- CGFW Firewall Activity Rules -->
<group name="cgfw-firewall-activity">
<!-- Rule: Detect Blocked Traffic -->
<rule id="100101" level="8">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="Type">DROP|DENY|REJECT</field>
<description>Blocked traffic detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) user=$(User)</description>
</rule>
<!-- Rule: Detect Allowed Traffic -->
<rule id="100102" level="4">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="Type">ALLOW</field>
<description>Allowed traffic detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) user=$(User)</description>
</rule>
<!-- Rule: High Bandwidth Usage -->
<rule id="100103" level="5">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="SentBytes">[1-9][0-9]{7,}</field>
<description>High bandwidth usage detected: srcIP=$(srcip) -> dstIP=$(dstip) sentBytes=$(SentBytes) application=$(Application)</description>
</rule>
<!-- Rule: Large Number of Packets Sent -->
<rule id="100104" level="5">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="SentPackets">[1-9][0-9]{5,}</field>
<description>Large number of packets sent: srcIP=$(srcip) -> dstIP=$(dstip) sentPackets=$(SentPackets) application=$(Application)</description>
</rule>
<!-- Rule: Unauthorized Protocols -->
<rule id="100105" level="7">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="L4Protocol">FTP|Telnet</field>
<description>Unauthorized protocol detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) user=$(User)</description>
</rule>
<!-- Rule: Unauthorized Access Attempts -->
<rule id="100106" level="8">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="FirewallRule">BLOCKED-ACCESS</field>
<description>Unauthorized access attempt detected: srcIP=$(srcip) -> dstIP=$(dstip) rule=$(FirewallRule) user=$(User)</description>
</rule>
<!-- Rule: Traffic to High-Risk URL Categories -->
<rule id="100107" level="9">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="URLCategory">Malware|Phishing|Proxy Avoidance</field>
<description>Traffic to high-risk URL category detected: srcIP=$(srcip) -> dstIP=$(dstip) category=$(URLCategory) content=$(Content)</description>
</rule>
<!-- Rule: Internal to External Traffic Detection -->
<rule id="100108" level="3">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="SourceInterface">Internal</field>
<field name="DestinationInterface">External</field>
<description>Internal to external traffic: srcIP=$(srcip) -> dstIP=$(dstip) interface=$(SourceInterface) -> $(DestinationInterface) user=$(User)</description>
</rule>
<!-- Rule: Suspicious Long Session Duration -->
<rule id="100109" level="5">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="Duration">[3-9][0-9]{3,}</field>
<description>Suspicious long session duration: srcIP=$(srcip) -> dstIP=$(dstip) duration=$(Duration) seconds application=$(Application)</description>
</rule>
<!-- Default Catch-All for Any Remaining Logs -->
<rule id="100110" level="4">
<decoded_as>cgfw-firewall-activity</decoded_as>
<description>Barracuda Firewall general event: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) application=$(Application)</description>
</rule>
</group>