Thomas Patzke
16 lines
447 B
YAML
16 lines
447 B
YAML
title: Multiple suspicious Response Codes caused by Single Client
|
|
description: Detects possible exploitation activity or bugs in a web application
|
|
detection:
|
|
selection:
|
|
- log: web
|
|
response:
|
|
- 400
|
|
- 401
|
|
- 403
|
|
- 500
|
|
condition: selection | count() by clientip > 10
|
|
falsepositives:
|
|
- Unstable application
|
|
- Application that misuses the response codes
|
|
level: 60
|