security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Review Web logsource

Browse Source
This commit is contained in:
frack113
2023-05-08 11:04:16 +02:00
parent f3104f748f
commit c1a9712558
5 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitattributes
+2 -2
View File
@@ -17,5 +17,5 @@
*.png binary
*.jpg binary
# Sigma rule
*.yml text
# force lf for Sigma rule
*.yml text eol=lf
rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml
+2 -4
View File
@@ -6,11 +6,9 @@ references:
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: frack113
date: 2021/08/10
modified: 2023/04/26
modified: 2023/05/08
logsource:
product: windows
service: iis
definition: w3c-logging must be enabled https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
category: webserver
detection:
selection:
cs-method: 'POST'
rules/web/webserver_generic/web_nginx_core_dump.yml → rules/web/product/nginx/web_nginx_core_dump.yml
+2 -2
View File
@@ -7,12 +7,12 @@ references:
- https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
author: Florian Roth (Nextron Systems)
date: 2021/05/31
modified: 2022/10/09
modified: 2023/05/08
tags:
- attack.impact
- attack.t1499.004
logsource:
service: apache
service: nginx
detection:
keywords:
- 'exited on signal 6 (core dumped)'
tests/logsource.json
+2 -1
View File
@@ -160,7 +160,8 @@
},
"service":{
"apache":[],
"netflow":[]
"netflow":[],
"nginx":[]
}
},
"cisco":{
tests/test_logsource.py
+4 -2
View File
@@ -19,7 +19,7 @@ class TestRules(unittest.TestCase):
path_to_rules_ = ["rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance"]
path_to_rules = []
for path_ in path_to_rules_:
path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), path_))
path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__name__)), path_))
# Helper functions
def yield_next_rule_file_path(self, path_to_rules: list) -> str:
@@ -53,7 +53,9 @@ class TestRules(unittest.TestCase):
def get_field_name(selection: dict):
name = []
for field in selection:
if "|" in field:
if field == '|all':
continue
elif "|" in field:
name.append(field.split('|')[0])
else:
name.append(field)