afb2e7567d
Create web_cve_2022_36804_atlassian_bitbucket_command_injection.yml
2022-09-29 22:23:04 +02:00
fb44c6fa87
Update meta info
2022-09-13 22:14:45 +02:00
4573ab0a21
Fix a lot of typos in rules text and comments #Part 3 ( #3446 )
2022-08-30 08:21:25 +02:00
f62f2bb902
fix case on author for consistency
2022-08-18 17:48:44 -04:00
4316d9c500
Update condition
2022-08-18 18:38:14 +02:00
a9f22696d8
Update web_cve_2022_27925_exploit.yml
...
consolidated selection logic and stripped "cs-cookie: 'ZM_AUTH_TOKEN'", as it is most likely not logged
2022-08-18 12:27:58 -04:00
c1dc90f9ed
Update web_cve_2022_27925_exploit.yml
...
Added additional logic looking for a call to an uploaded webshell, with a 200 response
2022-08-18 07:30:23 -04:00
224e30c3f4
Update web_cve_2022_27925_exploit.yml
...
corrected issues surrounding the sigma checks and added an additional reference
2022-08-18 07:25:29 -04:00
405b9aa563
Create web_cve_2022_27925_exploit.yml
2022-08-17 15:22:44 -04:00
6798d69d00
Update
2022-08-15 00:22:08 +01:00
ce43b1da5c
Create web_cve_2022_31659_vmware_rce.yml
2022-08-12 18:50:08 +01:00
4f7738b867
Add rule CVE-2022-31656
2022-08-12 16:29:52 +01:00
9eb0ea7284
Update web_cve_2020_10148_solarwinds_exploit.yml
2022-08-03 16:38:38 +02:00
4d00c9a33a
Adjusting the condition query
2022-08-02 23:28:42 +00:00
0c0008e8d5
Narrowing the detection due to false positive matches of webresource.axd
2022-08-02 23:18:50 +00:00
dbfd439ce4
fix: too many FPs
...
with e.g. =select-billing-address and many more
2022-07-27 14:18:29 +02:00
ff6384aabb
Merge pull request #3262 from redsand/improvement_add_additional_useragent
...
Feature improvement to add an additional known user agent seen in the…
2022-07-22 21:07:03 +02:00
3c015a9c78
Feature improvement to add an additional known user agent seen in the wild.
2022-07-21 19:28:10 +00:00
63963a9014
Merge pull request #3254 from nasbench/cve_2022_33891
...
Create web_cve_2022_33891_spark_rce.yml
2022-07-21 18:13:39 +02:00
de4dd20a82
Update web_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 18:02:44 +02:00
aa79f4a5ee
Update web_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 15:34:11 +01:00
de68fb244e
Merge pull request #3251 from nasbench/CVE-2014-6287
...
Create web_cve_2014_6287_hfs_rce.yml
2022-07-20 23:24:42 +02:00
a8b283ba5f
Update
2022-07-20 13:40:24 +01:00
4c5929416a
Update web_cve_2014_6287_hfs_rce.yml
2022-07-20 13:26:19 +01:00
776b3ff99c
Update web_susp_useragents.yml
2022-07-20 14:21:41 +02:00
06c9ba2730
Renamed File
2022-07-19 18:38:10 +01:00
32b028fb16
Create web_cve_2022_33891_spark_rce.yml
2022-07-19 17:15:14 +01:00
595af48863
Create web_susp_useragents.yml
2022-07-19 16:26:28 +01:00
982038ebe3
Update web_cve_2014_6287_hfs_rce.yml
2022-07-19 15:27:16 +01:00
8e5e71ea15
Create web_cve_2014_6287_hfs_rce.yml
2022-07-19 15:17:16 +01:00
1392ca1ec5
Fix review
2022-07-11 20:27:42 +01:00
62574e9b0c
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
238e0ecd7d
Update Ref+Selection
2022-07-11 14:11:53 +01:00
aec95b6d65
Update selections and indentation
2022-07-07 20:13:45 +01:00
10dfd7d063
fix: FP found in webserver logs
2022-06-27 16:46:18 +02:00
f728893364
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
a2d19f3db2
Add FP filter + FP remark
2022-06-15 11:48:15 +01:00
9f0989e49c
Quick typo fix
2022-06-15 11:38:34 +01:00
894f6af09f
Removed double quotes
2022-06-15 11:30:01 +01:00
ee23e653f9
Added "GET" method selection
2022-06-15 11:29:31 +01:00
e42318b0fb
Update web_ssti_in_access_logs.yml
2022-06-14 22:10:09 +01:00
b54df8d9ce
Rename+Update
2022-06-14 21:58:34 +01:00
f527b8eb4c
Rename Web CVE Rules
...
Renamed WEB CVE rules to the format "web_cve_20XX_XXXX_rest_of_name"
2022-06-14 19:22:26 +01:00
00db705ae6
Rename Web Rule
2022-06-14 19:13:15 +01:00
d3d5f4faea
Update web_susp_windows_path_uri.yml
2022-06-07 10:45:06 +02:00
7327dd53e5
New/Update Rules
...
- Renamed "sql_injection_keywords.yml" to "web_sql_injection_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "xss_keywords.yml" to "web_xss_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "proc_create_win_msdt_susp_parent.yml" to "proc_creation_win_msdt_susp_parent.yml" to conform with other process creation rules
- Renamed "proc_create_win_sdiagnhost_susp_child.yml" to "proc_creation_win_sdiagnhost_susp_child.yml" to conform with other process creation rules
- Moved the rule "win_powershell_snapins_hafnium.yml" to process_creation folder instead of the WEB folder
- Created "web_susp_windows_path_uri.yml" to detect URI that contains susp windows paths
- Updated the description "web_webshell_keyword.yml" and added 3 more cases
- Created "file_event_win_cve_2021_44077_poc_default_files.yml" to detect the default dropped file from the POC of CVE-2021-44077 (Showcased in the DFIR report)
- Created "proc_creation_win_renamed_plink.yml" to detect renamed usage of "Plink"
2022-06-06 21:16:52 +01:00
3b4ad16c5f
refactor: new expr from honeypot, increased level
2022-06-06 17:32:08 +02:00
b3d9706014
Update web_java_in_access_log.yml
2022-06-04 15:21:04 +02:00
f4c61c58f6
Update web_java_in_access_log.yml
2022-06-04 13:39:36 +02:00
6af060a91f
Add new string
2022-06-04 10:08:49 +02:00
Nasreddine Bencherchali