mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
30 lines
700 B
YAML
30 lines
700 B
YAML
title: Multiple Suspicious Resp Codes Caused by Single Client
|
|
id: 6fdfc796-06b3-46e8-af08-58f3505318af
|
|
status: experimental
|
|
description: Detects possible exploitation activity or bugs in a web application
|
|
author: Thomas Patzke
|
|
date: 2017/02/19
|
|
modified: 2020/09/03
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection:
|
|
sc-status:
|
|
- 400
|
|
- 401
|
|
- 403
|
|
- 500
|
|
timeframe: 10m
|
|
condition: selection | count() by clientip > 10
|
|
fields:
|
|
- client_ip
|
|
- vhost
|
|
- url
|
|
- response
|
|
falsepositives:
|
|
- Unstable application
|
|
- Application that misuses the response codes
|
|
level: medium
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190 |