From c1a97125588c2b3be27e66b312add298b6fe3c2e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 8 May 2023 11:04:16 +0200 Subject: [PATCH] Review Web logsource --- .gitattributes | 4 ++-- .../Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml | 6 ++---- .../nginx}/web_nginx_core_dump.yml | 4 ++-- tests/logsource.json | 3 ++- tests/test_logsource.py | 6 ++++-- 5 files changed, 12 insertions(+), 11 deletions(-) rename rules/web/{webserver_generic => product/nginx}/web_nginx_core_dump.yml (94%) diff --git a/.gitattributes b/.gitattributes index a57cbea52..ebd98ba40 100644 --- a/.gitattributes +++ b/.gitattributes @@ -17,5 +17,5 @@ *.png binary *.jpg binary -# Sigma rule -*.yml text +# force lf for Sigma rule +*.yml text eol=lf diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml index 10570812f..93a434a36 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml @@ -6,11 +6,9 @@ references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: frack113 date: 2021/08/10 -modified: 2023/04/26 +modified: 2023/05/08 logsource: - product: windows - service: iis - definition: w3c-logging must be enabled https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging + category: webserver detection: selection: cs-method: 'POST' diff --git a/rules/web/webserver_generic/web_nginx_core_dump.yml b/rules/web/product/nginx/web_nginx_core_dump.yml similarity index 94% rename from rules/web/webserver_generic/web_nginx_core_dump.yml rename to rules/web/product/nginx/web_nginx_core_dump.yml index 885da4765..3450d965e 100644 --- a/rules/web/webserver_generic/web_nginx_core_dump.yml +++ b/rules/web/product/nginx/web_nginx_core_dump.yml @@ -7,12 +7,12 @@ references: - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ author: Florian Roth (Nextron Systems) date: 2021/05/31 -modified: 2022/10/09 +modified: 2023/05/08 tags: - attack.impact - attack.t1499.004 logsource: - service: apache + service: nginx detection: keywords: - 'exited on signal 6 (core dumped)' diff --git a/tests/logsource.json b/tests/logsource.json index 970d57b6f..4f4b4d477 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -160,7 +160,8 @@ }, "service":{ "apache":[], - "netflow":[] + "netflow":[], + "nginx":[] } }, "cisco":{ diff --git a/tests/test_logsource.py b/tests/test_logsource.py index 4272c4e09..1774cb4c7 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -19,7 +19,7 @@ class TestRules(unittest.TestCase): path_to_rules_ = ["rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance"] path_to_rules = [] for path_ in path_to_rules_: - path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), path_)) + path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__name__)), path_)) # Helper functions def yield_next_rule_file_path(self, path_to_rules: list) -> str: @@ -53,7 +53,9 @@ class TestRules(unittest.TestCase): def get_field_name(selection: dict): name = [] for field in selection: - if "|" in field: + if field == '|all': + continue + elif "|" in field: name.append(field.split('|')[0]) else: name.append(field)