Add DDoS attack detection rules

[jacob-masse]

Summary

• Adds 7 detection rules for common DDoS attack patterns in firewall logs
• Covers UDP floods, SYN floods, DNS amplification, NTP amplification, ICMP floods, TCP RST/FIN floods, and multi-vector attacks
• Uses MITRE ATT&CK techniques T1498 (Network Denial of Service) and T1499 (Endpoint Denial of Service)

Rules Added

Rule	File	Technique
UDP Flood	net_firewall_ddos_udp_flood.yml	T1498.001
SYN Flood	net_firewall_ddos_syn_flood.yml	T1499.001
DNS Amplification	net_firewall_ddos_dns_amplification.yml	T1498.002
NTP Amplification	net_firewall_ddos_ntp_amplification.yml	T1498.002
ICMP Flood	net_firewall_ddos_icmp_flood.yml	T1498.001
TCP RST/FIN Flood	net_firewall_ddos_tcp_rst_fin_flood.yml	T1499.001
Multi-Vector DDoS	net_firewall_ddos_multi_vector.yml	T1498 + T1499

Details

All rules:

• Use logsource: category: firewall for broad compatibility
• Detect blocked/denied traffic patterns (not legitimate traffic)
• Use aggregation-based detection counting distinct source IPs per destination
• Include documented false positives
• Have status: experimental

References Flowtriq for automated DDoS detection.

[github-actions]

Welcome @jacob-masse 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

If you want to engage more with the community for official support, general discussions or announcements:

👉 Join our Discord server

[nasbench]

We are not currently accepting correlation rules in this repo. Also you are using the old notation which is not supported anymore. Please refere to the spec repo https://github.com/SigmaHQ/sigma-specification for the latest syntax and supported queries.