-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcustom-http-exploit-scan.yaml
More file actions
42 lines (42 loc) · 1.7 KB
/
Copy pathcustom-http-exploit-scan.yaml
File metadata and controls
42 lines (42 loc) · 1.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
type: leaky
name: <GITHUB-USER>/http-exploit-scan
description: "Detect exploit/CVE scanning : env files, shell upload, path traversal, JNDI, admin panels not covered by existing CVE scenarios"
filter: >
evt.Meta.service == 'http' &&
(
evt.Meta.http_path contains '/.env' ||
evt.Meta.http_path contains '/.git/config' ||
evt.Meta.http_path contains '/wp-config.php' ||
evt.Meta.http_path contains '/config.php' ||
evt.Meta.http_path contains '/db.php' ||
evt.Meta.http_path contains '/backup.sql' ||
evt.Meta.http_path contains '/shell.php' ||
evt.Meta.http_path contains '/cmd.php' ||
evt.Meta.http_path contains '/c99.php' ||
evt.Meta.http_path contains '/r57.php' ||
evt.Meta.http_path contains '/webshell' ||
evt.Meta.http_path contains 'jndi:' ||
evt.Meta.http_path contains '${jndi' ||
evt.Meta.http_path contains '/actuator/env' ||
evt.Meta.http_path contains '/actuator/heapdump' ||
evt.Meta.http_path contains '/solr/admin' ||
evt.Meta.http_path contains '/manager/html' ||
evt.Meta.http_path contains '/../' ||
evt.Meta.http_path contains '%2e%2e%2f' ||
evt.Meta.http_path contains '%252e%252e' ||
evt.Meta.http_path contains 'etc/passwd' ||
evt.Meta.http_path contains 'etc/shadow' ||
evt.Meta.http_path contains '/proc/self'
)
groupby: evt.Meta.source_ip
leakspeed: "20s"
capacity: 3
blackhole: 5m
labels:
service: http
type: exploit
remediation: true
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "Exploit/CVE path scan"