SigmaHQ/rules/web/web_multiple_suspicious_resp_codes_single_source.yml

title: Multiple suspicious Response Codes caused by Single Client
description: Detects possible exploitation activity or bugs in a web application
detection:
    selection:
        - log: 
            - access.log
            - error.log
          response:
              - 400
              - 401
              - 403
              - 500
    condition: selection | count() by clientip > 10
falsepositives:
    - Unstable application
    - Application that misuses the response codes
level: 40
Added 'multiple_suspicious_response_codes_single_source' web rule 2017-01-10 23:39:26 +00:00			`title: Multiple suspicious Response Codes caused by Single Client`
			`description: Detects possible exploitation activity or bugs in a web application`
			`detection:`
			`selection:`
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`- log:`
			`- access.log`
			`- error.log`
Added 'multiple_suspicious_response_codes_single_source' web rule 2017-01-10 23:39:26 +00:00			`response:`
			`- 400`
			`- 401`
			`- 403`
			`- 500`
			`condition: selection \| count() by clientip > 10`
			`falsepositives:`
			`- Unstable application`
			`- Application that misuses the response codes`
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`level: 40`