rules/linux/modsecurity/modsec_mulitple_blocks.yml

title: Multiple Modsecurity Blocks
id: a06eea10-d932-4aa6-8ba9-186df72c8d23
status: stable
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
author: Florian Roth
date: 2017/02/28
logsource:
    product: linux
    service: modsecurity
detection:
    selection:
        - 'mod_security: Access denied'
        - 'ModSecurity: Access denied'
        - 'mod_security-message: Access denied'
    timeframe: 120m
    condition: selection | count() > 6
falsepositives:
    - Vulnerability scanners
    - Frequent attacks if system faces Internet
level: medium
tags:
    - attack.impact
    - attack.t1499
ModSecurity rule: multiple blocks 2017-02-28 17:53:32 +01:00			`title: Multiple Modsecurity Blocks`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: a06eea10-d932-4aa6-8ba9-186df72c8d23`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`status: stable`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Detects multiple blocks by the mod_security module (Web Application Firewall)`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`author: Florian Roth`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`date: 2017/02/28`
ModSecurity rule: multiple blocks 2017-02-28 17:53:32 +01:00			`logsource:`
			`product: linux`
			`service: modsecurity`
			`detection:`
			`selection:`
			`- 'mod_security: Access denied'`
			`- 'ModSecurity: Access denied'`
			`- 'mod_security-message: Access denied'`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`timeframe: 120m`
ModSecurity rule: multiple blocks 2017-02-28 17:53:32 +01:00			`condition: selection \| count() > 6`
			`falsepositives:`
			`- Vulnerability scanners`
			`- Frequent attacks if system faces Internet`
			`level: medium`
$frack113$ add missing tags 2021-09-07 18:16:46 +02:00			`tags:`
			`- attack.impact`
			`- attack.t1499`