Added rule for zero day CVE-2021-22123 in Fortinet WAFs
This commit is contained in:
Bhabesh Rai
@@ -0,0 +1,30 @@
|
||||
title: Fortinet CVE-2021-22123 Exploitation
|
||||
description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
|
||||
id: f425637f-891c-4191-a6c4-3bb1b70513b4
|
||||
references:
|
||||
- https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
|
||||
author: Bhabesh Raj
|
||||
date: 2021/08/18
|
||||
tags:
|
||||
- attack.initial_access
|
||||
- attack.t1190
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
selection:
|
||||
c-uri|contains:
|
||||
- '/api/v2.0/user/remoteserver.saml'
|
||||
cs-method:
|
||||
- POST
|
||||
content-type|startswith:
|
||||
- 'multipart/form-data;'
|
||||
content-disposition|contains:
|
||||
- '`'
|
||||
condition: selection
|
||||
fields:
|
||||
- client_ip
|
||||
- url
|
||||
- response
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
Reference in New Issue
Block a user