title: Multiple suspicious Response Codes caused by Single Client
id: 6fdfc796-06b3-46e8-af08-58f3505318af
description: Detects possible exploitation activity or bugs in a web application
author: Thomas Patzke
date: 2017/02/19
logsource:
    category: webserver
detection:
    selection:
        response:
          - 400
          - 401
          - 403
          - 500
    timeframe: 10m
    condition: selection | count() by clientip > 10
fields:
    - client_ip
    - vhost
    - url
    - response
falsepositives:
    - Unstable application
    - Application that misuses the response codes
level: medium