diff --git a/rules/example-1-simple.yaml b/rules/example-1-simple.yaml deleted file mode 100644 index ad3dd9e7006..00000000000 --- a/rules/example-1-simple.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# A very simple config for introductory purpose. Not for the real-world! - -# Network traffic to/from standard system utilities -# These utils never communicate on the network - if they do, that is a strong indication -# that something is wrong (rootkit?) -# Note that the full rule lists all ~150 binaries from coreutils; this example only has a few. -- condition: (fd.typechar = 4 or fd.typechar = 6) and proc.name in (ls, mkdir, cat, less, ps) - output: "%evt.time: %proc.name network with %fd.l4proto" - -# System binary is modified or new file is written to standard binary dirs -- condition: evt.type = open and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - output: "%evt.time: System binary modified (file '%fd.filename' written by process %proc.name)" - -# Shell running in container -- condition: container.id != host and proc.name = bash - output: "%evt.time: Shell running in container (%proc.name, %container.id)" diff --git a/rules/example-2-macros.yaml b/rules/example-2-macros.yaml deleted file mode 100644 index 08939325097..00000000000 --- a/rules/example-2-macros.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# A very simple config for introductory purpose. Not for the real-world! - - -# Binary directories -- macro: bin_dir - condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - -# Core binaries -- macro: core_binaries - condition: proc.name in (ls, mkdir, cat, less, ps) - -# Network traffic to/from standard utility -- condition: (fd.typechar = 4 or fd.typechar=6) and core_binaries - output: "%evt.time: %proc.name network with %fd.l4proto" - -# System binary is modified -- condition: evt.type = write and bin_dir - output: "%evt.time: System binary modified (file '%fd.filename' written by process %proc.name)" - -# Shell running in container -- condition: container.id != host and proc.name = bash - output: "%evt.time: Shell running in container (%proc.name, %container.id)"