security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential HTTP Downgrade Attack (#5372)

Browse Source 
* [New Rule] Potential HTTP Downgrade Attack

* Update defense_evasion_potential_http_downgrade_attack.toml
This commit is contained in:
Ruben Groenewoud
2025-12-04 16:23:38 +01:00
committed by GitHub
parent f42b5143a6
commit efef99befd
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2025/11/27"
integration = ["nginx", "apache", "apache_tomcat"]
maturity = "production"
updated_date = "2025/11/27"
[rule]
author = ["Elastic"]
description = """
Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying
HTTP traffic that uses a different HTTP version than the one typically used in the environment. An
HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version,
resulting in potentially less secure communication. For example, an attacker might downgrade a
connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in
the older protocol versions.
"""
from = "now-9m"
index = [
"logs-nginx.access-*",
"logs-apache.access-*",
"logs-apache_tomcat.access-*",
]
language = "kuery"
license = "Elastic License v2"
name = "Potential HTTP Downgrade Attack"
risk_score = 21
rule_id = "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e"
severity = "low"
tags = [
"Domain: Web",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Nginx",
"Data Source: Apache",
"Data Source: Apache Tomcat",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
http.version:*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.010"
name = "Downgrade Attack"
reference = "https://attack.mitre.org/techniques/T1562/010/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.new_terms]
field = "new_terms_fields"
value = ["http.version", "agent.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"