RDP from Internet rule triggering on bogon ip address

willemdh · October 26, 2020, 7:59am

Hello,

Noticed the SIEM rule" RDP (Remote Desktop Protocol) from the Internet" triggered on source.ip: "169.254.231.41" which is a bogon link-local address.

So this should not be considered as "from the Internet" and so "169.254.0.0/16" should be excluded in the query?

event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")

Grtz

Willem

Mike_Paquette · October 26, 2020, 10:35am

Hi Willem, thanks for submitting this rule improvement suggestion!

I've created an issue in our public detection-rules repo, passing along your suggested improvement

BTW, you can create issues directly in that repo if you prefer, as it is a public repo!

Thanks for your continued contributions to our community!

willemdh · October 26, 2020, 10:53am

Well it's kind of confusing, because sometimes when I create some GH issue, I get the message I need to create a forum post first...

Anyway, thanks for creating the GH issue!

By the way, the same consideration might be valid for other "from / to the Internet" rules.

system · November 23, 2020, 10:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
False Positive - RPC (Remote Procedure Call) to the Internet (Kuery) SIEM	3	417	June 3, 2020
False positive on SIEM rule SSH to the Internet SIEM	4	475	June 15, 2020
SIEM open rules Elastic Security	3	607	October 7, 2021
"SMTP to Internet" signal detection rule is not fired up by Elastic SIEM SIEM	3	491	July 14, 2020
MISP + Alerts SIEM	8	609	June 28, 2023

RDP from Internet rule triggering on bogon ip address

Related topics