SigmaHQ/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
2017-09-17 00:20:17 +02:00

24 lines
551 B
YAML

title: Multiple suspicious Response Codes caused by Single Client
description: Detects possible exploitation activity or bugs in a web application
author: Thomas Patzke
logsource:
category: webserver
detection:
selection:
response:
- 400
- 401
- 403
- 500
timeframe: 10m
condition: selection | count() by clientip > 10
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- Unstable application
- Application that misuses the response codes
level: medium