Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.

2024-11-07 01:45:21 +00:00 · 2020-12-08 14:46:47 +05:45 · 2020-12-08 14:46:47 +05:45 · 3ddf940812
commit 3ddf940812
parent 03c7d751c0
1 changed files with 25 additions and 0 deletions
--- a/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
+++ b/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
@ -0,0 +1,25 @@
+
+title: Fortinet CVE-2018-13379 Exploitation
+description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs.
+id: a2e97350-4285-43f2-a63f-d0daff291738
+references:
+    - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
+author: Bhabesh Raj
+date: 2020/12/08
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri: 
+            - '*lang=/../../*////*/dev/cmdb/sslvpn_websession'
+    condition: selection
+fields:
+    - client_ip
+    - url
+    - response
+falsepositives:
+    - Unknown
+level: critical