Joren/Barracuda_CGFW_Wazuh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Barracuda_CGFW_Wazuh/rules.xml
Joren 87168d66ea Add rules.xml
2025-05-16 10:26:18 +02:00

74 lines
3.4 KiB
XML
Raw Permalink Blame History

<!-- CGFW Firewall Activity Rules -->
<group name="cgfw-firewall-activity">
<!-- Rule: Detect Blocked Traffic -->
<rule id="100101" level="8">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="Type">DROP|DENY|REJECT</field>
<description>Blocked traffic detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) user=$(User)</description>
</rule>
<!-- Rule: Detect Allowed Traffic -->
<rule id="100102" level="4">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="Type">ALLOW</field>
<description>Allowed traffic detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) user=$(User)</description>
</rule>
<!-- Rule: High Bandwidth Usage -->
<rule id="100103" level="5">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="SentBytes">[1-9][0-9]{7,}</field>
<description>High bandwidth usage detected: srcIP=$(srcip) -> dstIP=$(dstip) sentBytes=$(SentBytes) application=$(Application)</description>
</rule>
<!-- Rule: Large Number of Packets Sent -->
<rule id="100104" level="5">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="SentPackets">[1-9][0-9]{5,}</field>
<description>Large number of packets sent: srcIP=$(srcip) -> dstIP=$(dstip) sentPackets=$(SentPackets) application=$(Application)</description>
</rule>
<!-- Rule: Unauthorized Protocols -->
<rule id="100105" level="7">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="L4Protocol">FTP|Telnet</field>
<description>Unauthorized protocol detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) user=$(User)</description>
</rule>
<!-- Rule: Unauthorized Access Attempts -->
<rule id="100106" level="8">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="FirewallRule">BLOCKED-ACCESS</field>
<description>Unauthorized access attempt detected: srcIP=$(srcip) -> dstIP=$(dstip) rule=$(FirewallRule) user=$(User)</description>
</rule>
<!-- Rule: Traffic to High-Risk URL Categories -->
<rule id="100107" level="9">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="URLCategory">Malware|Phishing|Proxy Avoidance</field>
<description>Traffic to high-risk URL category detected: srcIP=$(srcip) -> dstIP=$(dstip) category=$(URLCategory) content=$(Content)</description>
</rule>
<!-- Rule: Internal to External Traffic Detection -->
<rule id="100108" level="3">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="SourceInterface">Internal</field>
<field name="DestinationInterface">External</field>
<description>Internal to external traffic: srcIP=$(srcip) -> dstIP=$(dstip) interface=$(SourceInterface) -> $(DestinationInterface) user=$(User)</description>
</rule>
<!-- Rule: Suspicious Long Session Duration -->
<rule id="100109" level="5">
<decoded_as>cgfw-firewall-activity</decoded_as>
<field name="Duration">[3-9][0-9]{3,}</field>
<description>Suspicious long session duration: srcIP=$(srcip) -> dstIP=$(dstip) duration=$(Duration) seconds application=$(Application)</description>
</rule>
<!-- Default Catch-All for Any Remaining Logs -->
<rule id="100110" level="4">
<decoded_as>cgfw-firewall-activity</decoded_as>
<description>Barracuda Firewall general event: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) application=$(Application)</description>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink