SigmaHQ/rules/web/web_multiple_suspicious_resp_codes_single_source.yml

30 lines
700 B
YAML
Raw Normal View History

2020-01-30 16:26:09 +00:00
title: Multiple Suspicious Resp Codes Caused by Single Client
2019-11-12 22:12:27 +00:00
id: 6fdfc796-06b3-46e8-af08-58f3505318af
2020-09-15 13:02:30 +00:00
status: experimental
description: Detects possible exploitation activity or bugs in a web application
author: Thomas Patzke
date: 2017/02/19
2020-09-03 14:04:57 +00:00
modified: 2020/09/03
logsource:
category: webserver
detection:
selection:
sc-status:
- 400
- 401
- 403
- 500
timeframe: 10m
condition: selection | count() by clientip > 10
2017-09-12 21:54:04 +00:00
fields:
- client_ip
2017-09-16 22:20:17 +00:00
- vhost
2017-09-12 21:54:04 +00:00
- url
- response
falsepositives:
- Unstable application
- Application that misuses the response codes
2017-02-16 17:02:26 +00:00
level: medium
2020-09-15 13:02:30 +00:00
tags:
- attack.initial_access
- attack.t1190