SigmaHQ/rules/web/web_pulsesecure_cve-2019-11510.yml

title: Pulse Secure Attack CVE-2019-11510
id: 2dbc10d7-a797-49a8-8776-49efa6442e60
description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
references:
    - https://www.exploit-db.com/exploits/47297
author: Florian Roth
date: 2019/11/18
modified: 2020/03/14
logsource:
    category: webserver
detection:
    selection:
        c-uri: '*?/dana/html5acc/guacamole/*'
    condition: selection
fields:
    - client_ip
    - vhost
    - url
    - response
falsepositives:
    - Unknown
level: critical
rule: PulseSecure CVE-2019-11510 attack 2019-11-18 14:33:58 +00:00			`title: Pulse Secure Attack CVE-2019-11510`
			`id: 2dbc10d7-a797-49a8-8776-49efa6442e60`
			`description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole`
			`references:`
			`- https://www.exploit-db.com/exploits/47297`
			`author: Florian Roth`
fix: fixed missing date fields in other files 2020-01-30 14:32:39 +00:00			`date: 2019/11/18`
use the taxonomy which states to use `c-uri` instead of `c-uri-path` 2020-03-14 19:02:06 +00:00			`modified: 2020/03/14`
rule: PulseSecure CVE-2019-11510 attack 2019-11-18 14:33:58 +00:00			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
use the taxonomy which states to use `c-uri` instead of `c-uri-path` 2020-03-14 19:02:06 +00:00			`c-uri: '?/dana/html5acc/guacamole/'`
rule: PulseSecure CVE-2019-11510 attack 2019-11-18 14:33:58 +00:00			`condition: selection`
			`fields:`
			`- client_ip`
			`- vhost`
			`- url`
			`- response`
			`falsepositives:`
			`- Unknown`
fix: fixed missing date fields in other files 2020-01-30 14:32:39 +00:00			`level: critical`