- from: network
test: ip6?tables\s+-F
description: "Flushing all firewall rules"
id: network:flush_iptables
severity: Critical
- from: network
test: iptables\s+-X
description: "Deleting all custom chains"
id: network:delete_custom_chains
severity: High
- from: network
test: iptables\s+-t\s+nat\s+-F
description: "Flushing all NAT rules"
id: network:flush_nat_rules
severity: High
- from: network
test: ufw\s+disable(\s|$)
description: "Disabling firewall"
id: network:disable_firewall
severity: Critical
- from: network
test: ufw\s+--force\s+reset
description: "Force resetting firewall rules"
id: network:force_reset_firewall
severity: Critical
- from: network
test: systemctl\s+stop\s+networking
description: "Stopping network service"
id: network:stop_networking
severity: High
- from: network
test: systemctl\s+stop\s+NetworkManager
description: "Stopping NetworkManager service"
id: network:stop_network_manager
severity: High
- from: network
test: ifconfig\s+\w+\s+down
description: "Bringing down network interface"
id: network:bring_down_interface
severity: High
- from: network
test: ip\s+link\s+set\s+[\w-]+\s+down
description: "Bringing down network interface using ip command"
id: network:bring_down_interface_ip
severity: High
- from: network
test: route\s+del\s+default
description: "Deleting default route"
id: network:delete_default_route
severity: High
- from: network
test: nft\s+flush\s+ruleset
description: "Flushing all nftables rules removes all firewall protection."
id: network:flush_nftables
severity: Critical
- from: network
test: ip\s+route\s+flush
description: "Flushing the routing table causes immediate loss of network connectivity."
id: network:flush_routes
severity: Critical