RDP from Internet rule triggering on bogon ip address

Hello,

Noticed the SIEM rule" RDP (Remote Desktop Protocol) from the Internet" triggered on source.ip: "169.254.231.41" which is a bogon link-local address.

image

So this should not be considered as "from the Internet" and so "169.254.0.0/16" should be excluded in the query?

event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")

Grtz

Willem

Hi Willem, thanks for submitting this rule improvement suggestion!

I've created an issue in our public detection-rules repo, passing along your suggested improvement

BTW, you can create issues directly in that repo if you prefer, as it is a public repo!

Thanks for your continued contributions to our community!

Well it's kind of confusing, because sometimes when I create some GH issue, I get the message I need to create a forum post first...

Anyway, thanks for creating the GH issue!

By the way, the same consideration might be valid for other "from / to the Internet" rules.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.