SSH (Secure Shell) to the Internet "rule discrepancy?"

Elastic Security SIEM
1

Hi,

I am looking to get Cisco FNF (Flexible Netflow) and elastic netflow to play nice with me.
I don't know if I should report this as a "bug"?
When using FNF and get direction on internal flows it feels like the signal detection rule:
"SSH (Secure Shell) to the Internet"

This fires on internal » internal outbound traffic.
192.168.1.10 » 192.168.2.10:22

network.transport: tcp and destination.port:22 and ( network.direction: outbound  or (  source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and  not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ))

Is this by design, or should it be something like?:

network.transport: tcp and destination.port:22 and ( network.direction: outbound and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or (  source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and  not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)))

or (without outbound)

network.transport: tcp and destination.port:22 and source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and  not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16))

--
Regards Falk

2

Hey there Falk,

I spoke to our I&A team about this and they're now tracking this as a rule tuning change for a future release, so thank you for bringing this up! :slightly_smiling_face:

All of our detection rules were actually just made available on github earlier today (:tada: ), so if you stumble across anything else rule-related feel free to open an issue in that repo and it can be tracked as part of their releases.

Thanks again!
Garrett

3

Really nice work by the team!

Forking and checking it out now :slight_smile:

--
Regards Falk