SigmaHQ/rules/web/web_cve_2019_3398_confluence.yml

title: Confluence Exploitation CVE-2019-3398
id: e9bc39ae-978a-4e49-91ab-5bd481fc668b
status: experimental
description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 
references:
    - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
author: Florian Roth
date: 2020/05/26
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection1:
        cs-method: 'POST'
        c-uri|contains|all:
            - '/upload.action'
            - 'filename=../../../../'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
level: critical
rule: confluence exploit CVE-2019-3398 2020-05-26 10:09:41 +00:00			`title: Confluence Exploitation CVE-2019-3398`
			`id: e9bc39ae-978a-4e49-91ab-5bd481fc668b`
			`status: experimental`
			`description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398`
			`references:`
			`- https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181`
			`author: Florian Roth`
			`date: 2020/05/26`
			`tags:`
			`- attack.initial_access`
			`- attack.t1190`
			`logsource:`
			`category: webserver`
			`detection:`
			`selection1:`
			`cs-method: 'POST'`
			`c-uri\|contains\|all:`
			`- '/upload.action'`
			`- 'filename=../../../../'`
			`condition: selection`
			`fields:`
			`- c-ip`
			`- c-dns`
			`falsepositives:`
			`- Unknown`
			`level: critical`