From 828484d7c6384d85d74ace3ab577fd6b60d22f2a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 26 May 2020 12:09:41 +0200
Subject: [PATCH 1/3] rule: confluence exploit CVE-2019-3398

---
 rules/web/web_cve_2019_3398_confluence.yml | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/web/web_cve_2019_3398_confluence.yml

diff --git a/rules/web/web_cve_2019_3398_confluence.yml b/rules/web/web_cve_2019_3398_confluence.yml
new file mode 100644
index 000000000..cc93af37d
--- /dev/null
+++ b/rules/web/web_cve_2019_3398_confluence.yml
@@ -0,0 +1,27 @@
+title: Confluence Exploitation CVE-2019-3398
+id: e9bc39ae-978a-4e49-91ab-5bd481fc668b
+status: experimental
+description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 
+references:
+    - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
+author: Florian Roth
+date: 2020/05/26
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection1:
+        cs-method: 'POST'
+        c-uri|contains|all:
+            - '/upload.action'
+            - 'filename=../../../../'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: critical
+

From cdf1ade6254533f55b1802d081b33fdfac6a9077 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 26 May 2020 12:27:16 +0200
Subject: [PATCH 2/3] fix: typo in selection

---
 rules/web/web_cve_2019_3398_confluence.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/web/web_cve_2019_3398_confluence.yml b/rules/web/web_cve_2019_3398_confluence.yml
index cc93af37d..352529093 100644
--- a/rules/web/web_cve_2019_3398_confluence.yml
+++ b/rules/web/web_cve_2019_3398_confluence.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     category: webserver
 detection:
-    selection1:
+    selection:
         cs-method: 'POST'
         c-uri|contains|all:
             - '/upload.action'

From b648998fd0e7100f6a39d7323be0cc1941e49d5e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 26 May 2020 13:18:50 +0200
Subject: [PATCH 3/3] rule: Turla ComRAT

---
 rules/proxy/proxy_turla_comrat.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rules/proxy/proxy_turla_comrat.yml

diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml
new file mode 100644
index 000000000..3a743adb3
--- /dev/null
+++ b/rules/proxy/proxy_turla_comrat.yml
@@ -0,0 +1,19 @@
+title: Turla ComRAT
+id: 7857f021-007f-4928-8b2c-7aedbe64bb82
+status: experimental
+description: Detects Turla ComRAT patterns
+references:
+    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+author: Florian Roth
+date: 2020/05/26
+tags:
+    - attack.g0010
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri|contains: '/index/index.php?h='
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical