Logic error in Firewall rule any/any created ?

Question

Logic error in Firewall rule any/any created ?

wagga40 opened this issue 2 years ago · 1 comments

In the following rule : Firewall rule any/any created

The related EVTX is here

I think the important fields are :

"LocalAddresses": "*",
"LocalPorts": "",
"RemoteAddresses": "*",
"RemotePorts": "",

But the rule only checks for LocalPorts and RemotePorts :

detection:
  selection:
    EventID:
      - 2004  # new rule created
      - 2005  # existing rule modified
    Action: 3 # allow
    LocalPorts: *
    RemotePorts: *

Shouldn't you add a check for LocalAddresses and RemoteAddresses equal to '\*' ?

Answer 1 · 2022-09-03T14:38:24.000Z

Thanks for the advice. I have added both approaches in the rules, including your suggestion. Thanks