Merge pull request #1301 from d4rk-d4nph3/master

Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.
2024-11-07 01:45:21 +00:00 · 2020-12-08 11:09:51 +01:00 · 2020-12-08 11:09:51 +01:00 · cfe60d180b
commit cfe60d180b
parent b6d62b7a21 2c642c64d2
1 changed files with 25 additions and 0 deletions
--- a/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
+++ b/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml
@ -0,0 +1,25 @@
+title: Fortinet CVE-2018-13379 Exploitation
+description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
+id: a2e97350-4285-43f2-a63f-d0daff291738
+references:
+    - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
+author: Bhabesh Raj
+date: 2020/12/08
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains|all: 
+            - 'lang=/../../'
+            - '/dev/cmdb/sslvpn_websession'
+    condition: selection
+fields:
+    - client_ip
+    - url
+    - response
+falsepositives:
+    - Unknown
+level: critical