Adding correlation rules and template.

correlations/cert_expired.yaml

@@ -0,0 +1,18 @@
+id: cert_expired
+version: 1
+meta:
+  name: Expired SSL certificate found
+  description: >
+    A host was found with an expired SSL certificate. This may
+    pose a risk to the security of the service exposed and/or
+    cause connecting services to fail due to being unable to
+    verify the certificate.
+  risk: MEDIUM
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: SSL_CERTIFICATE_EXPIRED
+aggregation:
+  field: source.data
+headline: "Expired SSL certificate found: {source.data}"

correlations/cloud_bucket_open.yaml

@@ -0,0 +1,24 @@
+id: cloud_bucket_open
+version: 1
+meta:
+  name: Cloud storage bucket open to the Internet
+  description: >
+    A cloud storage bucket (e.g. S3) referenced from the target
+    website has been found to be open to the Internet. Such
+    buckets should be restricted so that contents cannot be
+    listed, even if needing to be publicly accessible.
+  risk: HIGH
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: CLOUD_STORAGE_BUCKET
+      - method: exact
+        field: source.type
+        value: LINKED_URL_EXTERNAL
+      - method: exact
+        field: child.type
+        value: CLOUD_STORAGE_BUCKET_OPEN
+aggregation:
+  field: data
+headline: "Cloud storage bucket found open: {data}"

correlations/cloud_bucket_open_related.yaml

@@ -0,0 +1,25 @@
+id: cloud_bucket_open_related
+version: 1
+meta:
+  name: Possibly related cloud storage bucket open to the Internet
+  description: >
+    A cloud storage bucket (e.g. S3) potentially related to
+    the target has been found to be open to the Internet.
+
+    As the buckets in this case are based on name-matching, verification
+    for actual association with the target is necessary.
+  risk: LOW
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: CLOUD_STORAGE_BUCKET
+      - method: exact
+        field: source.type
+        value: not LINKED_URL_EXTERNAL
+      - method: exact
+        field: child.type
+        value: CLOUD_STORAGE_BUCKET_OPEN
+aggregation:
+  field: data
+headline: "Potentially relevant cloud storage bucket found open: {data}"

correlations/data_from_base64.yaml

@@ -0,0 +1,22 @@
+id: data_from_base64
+version: 1
+meta:
+  name: Data was found within base64-encoded data
+  description: >
+    Possibly interesting data was found within base64-encoded data,
+    such as software versions, names, email addresses and hostnames.
+  risk: INFO
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: BASE64_DATA
+      - method: regex
+        field: child.data
+        value: .*
+      - method: exact
+        field: child.type
+        value: not HASH
+aggregation:
+  field: child.data
+headline: "Interesting data was found within base64-encoded data: '{child.data}'"

correlations/data_from_docmeta.yaml

@@ -0,0 +1,22 @@
+id: data_from_docmeta
+version: 1
+meta:
+  name: Data was found within document/image meta data
+  description: >
+    Possibly interesting data was found within document/image meta data,
+    such as software versions, names, email addresses and hostnames.
+  risk: INFO
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: RAW_FILE_META_DATA
+      - method: regex
+        field: child.data
+        value: .*
+      - method: exact
+        field: child.type
+        value: not HASH
+aggregation:
+  field: child.data
+headline: "Interesting data was found within document meta data: '{child.data}'"

correlations/database_exposed.yaml

@@ -0,0 +1,46 @@
+id: database_exposed
+version: 1
+meta:
+  name: Database server exposed to the Internet
+  description: >
+    A database technology (MySQL, Oracle, Postgres, Redis,
+    Hadoop, MongoDB, Spark) was found to be accessible over
+    the Internet.
+
+    Even if authentication is required such systems should not
+    be exposed over the Internet due to the risk of misconfiguration
+    or unpatched vulnerabilities.
+  risk: HIGH
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: TCP_PORT_OPEN
+      - method: regex
+        field: data
+        value:
+          # MySQL
+          - .*:3306$
+          # Oracle
+          - .*:1521$
+          # PostgreSQL
+          - .*:5432$
+          # Redis
+          - .*:6379$
+          - .*:6380$
+          # Hadoop
+          - .*:50070$
+          - .*:50470$
+          - .*:50090$
+          - .*:500[12]0$
+          - .*:50475$
+          - .*:50075$
+          - .*:8020$
+          - .*:9000$
+          # Spark
+          - .*:7077$
+          # MongoDB
+          - .*:2701[789]$
+aggregation:
+  field: data
+headline: "Database server exposed to the Internet: {data}"

correlations/dev_or_test_system.yaml

@@ -0,0 +1,26 @@
+id: dev_or_test_system
+version: 1
+meta:
+  name: A host appearing to be a test or development system was found
+  description: >
+    A host that has dev, test, staging, internal or uat in its
+    name was found. This may indicate a system that is exposed
+    over the Internet unintentionally, and/or may be less secure
+    than other systems.
+  risk: MEDIUM
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: INTERNET_NAME
+      - method: regex
+        field: data
+        value:
+          - .*dev.*
+          - .*test.*
+          - .*uat.*
+          - .*internal.*
+          - .*staging.*
+aggregation:
+  field: data
+headline: "Development or internal system found: {data}"

correlations/dns_zone_transfer_possible.yaml

@@ -0,0 +1,18 @@
+id: dns_zone_transfer_possible
+version: 1
+meta:
+  name: DNS Zone Transfer is possible
+  description: >
+    It was possible to perform a DNS Zone Transfer with the
+    target's name server. Zone transfers can expose a significant
+    amount of information about the target network and have no
+    real need to be enabled in modern networks.
+  risk: HIGH
+collections:
+  - collect:
+      - method: exact
+        field: module
+        value: sfp_dnszonexfer
+aggregation:
+  field: source.data
+headline: "DNS Zone Transfer possible with {source.data}"

correlations/egress_ip_from_wikipedia.yaml

@@ -0,0 +1,33 @@
+id: egress_ip_from_wikipedia
+version: 1
+meta:
+  name: Wikipedia page edit from target-owned network
+  description: >
+    A Wikipedia page edit was found to come from an IP address
+    within a network owned by the target. That IP address is
+    highly likely to be that of a VPN server or office egress
+    proxy/gateway.
+  risk: MEDIUM
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: NETBLOCK_OWNER
+  - collect:
+      - method: exact
+        field: type
+        value: IP_ADDRESS
+      - method: exact
+        field: child.type
+        value: WIKIPEDIA_PAGE_EDIT
+aggregation:
+  field: data
+analysis:
+  - method: match_all_to_first_collection
+    field: data
+    # Could also be 'contains' or 'exact'
+    match_method: subnet
+headline:
+  text: "Wikipedia edit from IP within target-owned network: {data}"
+  publish_collections:
+    - 1

correlations/email_in_multiple_breaches.yaml

@@ -0,0 +1,25 @@
+id: email_in_multiple_breaches
+version: 1
+meta:
+  name: >
+    An email address was reported to be in multiple breaches
+  description: >
+    An email address was reported to be in multiple breaches.
+
+    The presence in multiple breaches may indicate that the password
+    of the account is particularly weak, or that it was re-used across
+    the sites involved in the breaches. Note that some breaches simply
+    aggregate other breaches, or may be very old.
+  risk: HIGH
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: EMAILADDR_COMPROMISED
+aggregation:
+  field: source.data
+analysis:
+  - method: threshold
+    field: source.data
+    minimum: 2
+headline: "Email address reported in multiple breaches: {source.data}"

correlations/email_in_whois.yaml

@@ -0,0 +1,24 @@
+id: email_in_whois
+version: 1
+meta:
+  name: A target-relevant email address was found in Whois data
+  description: >
+    An email address was found in Whois data that is directly
+    related to the target (e.g. same domain). The email found may
+    be that of a highly privileged person responsible for
+    maintaining the infrastructure of the target.
+
+    Email addresses are increasingly rarely found in Whois data due
+    to GDPR.
+  risk: INFO
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: EMAILADDR
+      - method: regex
+        field: source.type
+        value: .*WHOIS.*
+aggregation:
+  field: data
+headline: "Email address found in Whois record: {data}"

correlations/email_only_from_pasteleak_site.yaml

@@ -0,0 +1,35 @@
+id: email_only_from_pasteleak_site
+version: 1
+meta:
+  name: Email address only from paste/leak site
+  description: >
+    An email address was found mentioned in a paste/leak site but
+    nowhere else.
+
+    Since the email address was not found anywhere else, this may indicate
+    that the address is in some way special, perhaps not intended to
+    be publicly exposed/used or targeted in an attack.
+  risk: MEDIUM
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: EMAILADDR
+      - method: exact
+        field: source.type
+        value:
+          - LEAKSITE_CONTENT
+  - collect:
+      - method: exact
+        field: type
+        value: EMAILADDR
+      - method: exact
+        field: source.type
+        value:
+          - not LEAKSITE_CONTENT
+aggregation:
+  field: data
+analysis:
+  - method: first_collection_only
+    field: data
+headline: "Email address found only in paste/leak site: {data}"

correlations/host_only_from_bruteforce.yaml

@@ -0,0 +1,32 @@
+id: host_only_from_bruteforce
+version: 1
+meta:
+  name: Host only from bruteforcing
+  description: >
+    A hostname was found only by brute-forcing but nowhere else.
+
+    Since the host was not found anywhere else, this may indicate
+    that the host is in some way special, perhaps not intended to
+    be publicly exposed/used.
+  risk: LOW
+collections:
+  - collect:
+      - method: exact
+        field: type
+        value: INTERNET_NAME
+      - method: exact
+        field: module
+        value: sfp_dnsbrute
+  - collect:
+      - method: exact
+        field: type
+        value: INTERNET_NAME
+      - method: exact
+        field: module
+        value: not sfp_dnsbrute
+aggregation:
+  field: data
+analysis:
+  - method: first_collection_only
+    field: data
+headline: "Host found only through bruteforcing: {data}"