forked from opensearch-project/security-analytics
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding WAF Log type (opensearch-project#617) (opensearch-project#645)
Signed-off-by: Sandesh Kumar <[email protected]>
- Loading branch information
1 parent
a64c51a
commit 848262e
Showing
11 changed files
with
353 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
{ | ||
"name": "waf", | ||
"description": "Web Application Firewall Log Type", | ||
"is_builtin": true, | ||
"mappings": [ | ||
{ | ||
"raw_field":"cs-method", | ||
"ecs":"waf.request.method" | ||
}, | ||
{ | ||
"raw_field":"httpRequest.httpMethod", | ||
"ecs":"waf.request.method" | ||
}, | ||
{ | ||
"raw_field":"cs-uri-query", | ||
"ecs":"waf.request.uri_query" | ||
}, | ||
{ | ||
"raw_field":"httpRequest.uri", | ||
"ecs":"waf.request.uri_query" | ||
}, | ||
{ | ||
"raw_field":"httpRequest.args", | ||
"ecs":"waf.request.uri_query" | ||
}, | ||
{ | ||
"raw_field":"cs-user-agent", | ||
"ecs":"waf.request.headers.user_agent" | ||
}, | ||
{ | ||
"raw_field":"httpRequest.headers", | ||
"ecs":"waf.request.headers" | ||
}, | ||
{ | ||
"raw_field":"sc-status", | ||
"ecs":"waf.response.code" | ||
}, | ||
{ | ||
"raw_field":"responseCodeSent", | ||
"ecs":"waf.response.code" | ||
}, | ||
{ | ||
"raw_field":"timestamp", | ||
"ecs":"timestamp" | ||
}, | ||
{ | ||
"raw_field":"httpRequest.headers.value", | ||
"ecs":"waf.request.headers.value" | ||
}, | ||
{ | ||
"raw_field":"httpRequest.headers.name", | ||
"ecs":"waf.request.headers.name" | ||
} | ||
] | ||
} |
29 changes: 29 additions & 0 deletions
29
src/main/resources/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
title: Suspicious User-Agents Related To Recon Tools - AWS WAF | ||
id: 19aa4f58-94ca-45ff-bc34-92e533c0994b | ||
status: experimental | ||
description: Detects known suspicious (default) user-agents related to scanning/recon tools | ||
references: | ||
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb | ||
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst | ||
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 | ||
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton, Sandesh Kumar (Amazon) | ||
date: 2022/07/19 | ||
modified: 2023/09/26 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
category: webserver | ||
detection: | ||
selection: | ||
waf.request.headers.name: 'User-agent' | ||
waf.request.headers.value|contains: | ||
# Add more tools as you see fit | ||
- 'Wfuzz/' | ||
- 'WPScan v' | ||
- 'Recon-ng/v' | ||
- 'GIS - AppSec Team - Project Vision' | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: medium |
30 changes: 30 additions & 0 deletions
30
src/main/resources/rules/waf/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
title: Potential CVE-2023-25717 Exploitation Attempt | ||
id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe | ||
status: experimental | ||
description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin | ||
references: | ||
- https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/05/30 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
- cve.2023.25717 | ||
- detection.emerging_threats | ||
logsource: | ||
category: webserver | ||
detection: | ||
selection: | ||
cs-method: 'GET' | ||
cs-uri-query|contains|all: | ||
- '/forms/doLogin' | ||
- 'login_username' | ||
- 'password' | ||
cs-uri-query|contains: | ||
- '$(' | ||
- '%24%28' # URL Encode version of "$(" | ||
condition: selection | ||
falsepositives: | ||
- Vulnerability scanners | ||
- Some rare false positives may occur if the password contains the characters "$(". Apply addition indicators such as executed commands to remove FP | ||
level: high |
60 changes: 60 additions & 0 deletions
60
src/main/resources/rules/waf/web_sql_injection_in_access_logs.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
title: SQL Injection Strings In URI | ||
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 | ||
status: test | ||
description: Detects potential SQL injection attempts via GET requests in access logs. | ||
references: | ||
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/ | ||
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/ | ||
- https://brightsec.com/blog/sql-injection-payloads/ | ||
- https://github.com/payloadbox/sql-injection-payload-list | ||
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection | ||
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) | ||
date: 2020/02/22 | ||
modified: 2023/09/04 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
category: webserver | ||
detection: | ||
selection: | ||
cs-method: 'GET' | ||
keywords: | ||
- '@@version' | ||
- '%271%27%3D%271' | ||
- '=select ' | ||
- '=select(' | ||
- '=select%20' | ||
- 'concat_ws(' | ||
- 'CONCAT(0x' | ||
- 'from mysql.innodb_table_stats' | ||
- 'from%20mysql.innodb_table_stats' | ||
- 'group_concat(' | ||
- 'information_schema.tables' | ||
- 'json_arrayagg(' | ||
- 'or 1=1#' | ||
- 'or%201=1#' | ||
- 'order by ' | ||
- 'order%20by%20' | ||
- 'select * ' | ||
- 'select database()' | ||
- 'select version()' | ||
- 'select%20*%20' | ||
- 'select%20database()' | ||
- 'select%20version()' | ||
- 'select%28sleep%2810%29' | ||
- 'SELECTCHAR(' | ||
- 'table_schema' | ||
- 'UNION ALL SELECT' | ||
- 'UNION SELECT' | ||
- 'UNION%20ALL%20SELECT' | ||
- 'UNION%20SELECT' | ||
- "'1'='1" | ||
filter_main_status: | ||
sc-status: 404 | ||
condition: selection and keywords and not 1 of filter_main_* | ||
falsepositives: | ||
- Java scripts and CSS Files | ||
- User searches in search boxes of the respective website | ||
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
title: Suspicious User-Agents Related To Recon Tools | ||
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a | ||
status: experimental | ||
description: Detects known suspicious (default) user-agents related to scanning/recon tools | ||
references: | ||
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb | ||
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst | ||
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 | ||
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton | ||
date: 2022/07/19 | ||
modified: 2023/01/02 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
category: webserver | ||
detection: | ||
selection: | ||
cs-user-agent|contains: | ||
# Add more tools as you see fit | ||
- 'Wfuzz/' | ||
- 'WPScan v' | ||
- 'Recon-ng/v' | ||
- 'GIS - AppSec Team - Project Vision' | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
title: Cross Site Scripting Strings | ||
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 | ||
status: experimental | ||
description: Detects XSS attempts injected via GET requests in access logs | ||
references: | ||
- https://github.com/payloadbox/xss-payload-list | ||
- https://portswigger.net/web-security/cross-site-scripting/contexts | ||
author: Saw Win Naung, Nasreddine Bencherchali | ||
date: 2021/08/15 | ||
modified: 2022/06/14 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1189 | ||
logsource: | ||
category: webserver | ||
detection: | ||
select_method: | ||
cs-method: 'GET' | ||
keywords: | ||
- '=<script>' | ||
- '=%3Cscript%3E' | ||
- '=%253Cscript%253E' | ||
- '<iframe ' | ||
- '%3Ciframe ' | ||
- '<svg ' | ||
- '%3Csvg ' | ||
- 'document.cookie' | ||
- 'document.domain' | ||
- ' onerror=' | ||
- ' onresize=' | ||
- ' onload="' | ||
- 'onmouseover=' | ||
- '${alert' | ||
- 'javascript:alert' | ||
- 'javascript%3Aalert' | ||
filter: | ||
sc-status: 404 | ||
condition: select_method and keywords and not filter | ||
fields: | ||
- client_ip | ||
- vhost | ||
- url | ||
- response | ||
falsepositives: | ||
- JavaScripts,CSS Files and PNG files | ||
- User searches in search boxes of the respective website | ||
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.