valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1301 from d4rk-d4nph3/master

Browse Source 
Added rule for Fortinet CVE-2018-13379 preauth file read exploitation.
This commit is contained in:
Florian Roth 2020-12-08 11:09:51 +01:00 committed by GitHub
commit cfe60d180b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml Normal file
View File

@ -0,0 +1,25 @@
title: Fortinet CVE-2018-13379 Exploitation
description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
id: a2e97350-4285-43f2-a63f-d0daff291738
references:
- https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
author: Bhabesh Raj
date: 2020/12/08
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
c-uri|contains|all:
- 'lang=/../../'
- '/dev/cmdb/sslvpn_websession'
condition: selection
fields:
- client_ip
- url
- response
falsepositives:
- Unknown
level: critical