From e7d62f8fbece0397462a24e2efcd281dfbf3c3bc Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Wed, 11 Jan 2017 00:39:26 +0100
Subject: [PATCH] Added 'multiple_suspicious_response_codes_single_source' web
 rule

---
 ...le_suspicious_response_codes_single_source.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 web/multiple_suspicious_response_codes_single_source.yml

diff --git a/web/multiple_suspicious_response_codes_single_source.yml b/web/multiple_suspicious_response_codes_single_source.yml
new file mode 100644
index 000000000..deff3b3ac
--- /dev/null
+++ b/web/multiple_suspicious_response_codes_single_source.yml
@@ -0,0 +1,15 @@
+title: Multiple suspicious Response Codes caused by Single Client
+description: Detects possible exploitation activity or bugs in a web application
+detection:
+    selection:
+        - log: web
+          response:
+              - 400
+              - 401
+              - 403
+              - 500
+    condition: selection | count() by clientip > 10
+falsepositives:
+    - Unstable application
+    - Application that misuses the response codes
+level: 60