Update web_cve_2022_27925_exploit.yml
consolidated selection logic and stripped "cs-cookie: 'ZM_AUTH_TOKEN'", as it is most likely not logged
This commit is contained in:
Gott
@@ -17,15 +17,12 @@ logsource:
|
||||
detection:
|
||||
selection_servlet:
|
||||
cs-method: 'POST'
|
||||
c-uri|contains: '/service/extension/backup/mboximport?'
|
||||
selection_uri:
|
||||
c-uri|contains: '/service/extension/backup/mboximport\?'
|
||||
c-uri|contains|all:
|
||||
- 'account-name'
|
||||
- 'ow'
|
||||
- 'no-switch'
|
||||
- 'append'
|
||||
cs-cookie: 'ZM_AUTH_TOKEN'
|
||||
selection_status:
|
||||
sc-status:
|
||||
- '401'
|
||||
- '200'
|
||||
@@ -33,7 +30,7 @@ detection:
|
||||
cs-uri|contains: '/zimbraAdmin/'
|
||||
cs-uri|endswith: '.jsp'
|
||||
cs-status|contains: '200'
|
||||
condition: all of selection* or selection_shell
|
||||
condition: all of selection_servlet or selection_shell
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
|
||||
Reference in New Issue
Block a user