Excessive requests from Go-http-client/1.1

[cherdt]

Description of the Idea of the Rule

Not sure if it is possible to write Sigma rules based on summary/stats data. I'm interesting in generating alerts for source IP addresses that are hitting large numbers of destination IP addresses within my organization using the Go-http-client/1.1 user-agent.

Here's a Splunk query I currently use to identify these:

index=zeek sourcetype=zeek_http http_user_agent="Go-http-client/1.1" 
| stats count(id.resp_h) AS dest_count by id.orig_h
| where dest_count > 1000

I'm really more interested in whether it is possible (or advisable) to write Sigma rules based on summary events or stats than creating this specific rule. Such rules may be more difficult to automatically convert for a variety of SIEM tools. I'd like to make greater use of Sigma within my organization, but many of our custom detection rules rely on multiple events leading to one alert and I'm not sure how well that fits the Sigma model.

Thanks!

[github-actions[bot]]

Welcome @cherdt :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

[nasbench]

Hey there,

Its possible to do such a thing in Sigma using the Correlation feature. We've not yet made it "officially" public but here is the documentation https://github.com/SigmaHQ/sigma-specification/blob/version_2/appendix_meta_rules.md#event-count-event_count so that you can get an idea. You can use the count type correlation to achieve exactly what you showed in your example.

Currently there's no backend supporting the conversion from sigma -> target backend. But in the coming weeks, the splunk backed will support such feature. Keep an eye here https://github.com/SigmaHQ/pySigma-backend-splunk

Now to answer your more general question. Yes with the correlation feature you can write multi event rule leading to one alert. I showcased an example in this presentation a couple of months ago https://www.youtube.com/watch?v=-MOLIUPrNjw&t=2116s&ab_channel=AtomicsonaFriday. Give it a watch to get a feeling.

We will be releasing a blog post on our blog https://blog.sigmahq.io/ to describe this feature in details soon and the examples would be splunk based ;)

Hope this answer your question and gives you an idea of where things are going.

[cherdt]

This is exactly what I was thinking of! This is really exciting, thanks for the additional info!