From 848262e64ed8f7ea64dd4ad628284d88d17f0e77 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Thu, 5 Oct 2023 09:12:01 -0700 Subject: [PATCH] Adding WAF Log type (#617) (#645) Signed-off-by: Sandesh Kumar --- src/main/resources/OSMapping/logtypes.json | 9 +++ src/main/resources/OSMapping/waf_logtype.json | 55 +++++++++++++++++ .../aws_waf/aws_waf_web_susp_useragents.yml | 29 +++++++++ ..._ruckus_wireless_admin_exploit_attempt.yml | 30 ++++++++++ .../waf/web_sql_injection_in_access_logs.yml | 60 +++++++++++++++++++ .../rules/waf/web_susp_useragents.yml | 28 +++++++++ .../rules/waf/web_xss_in_access_logs.yml | 48 +++++++++++++++ .../mapper/MapperRestApiIT.java | 60 ++++++++++--------- .../resthandler/CustomLogTypeRestApiIT.java | 4 +- .../resthandler/RuleRestApiIT.java | 5 +- src/test/resources/waf-sample.json | 57 ++++++++++++++++++ 11 files changed, 353 insertions(+), 32 deletions(-) create mode 100644 src/main/resources/OSMapping/waf_logtype.json create mode 100644 src/main/resources/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml create mode 100644 src/main/resources/rules/waf/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml create mode 100644 src/main/resources/rules/waf/web_sql_injection_in_access_logs.yml create mode 100644 src/main/resources/rules/waf/web_susp_useragents.yml create mode 100644 src/main/resources/rules/waf/web_xss_in_access_logs.yml create mode 100644 src/test/resources/waf-sample.json diff --git a/src/main/resources/OSMapping/logtypes.json b/src/main/resources/OSMapping/logtypes.json index 911629b4d..30aa32a44 100644 --- a/src/main/resources/OSMapping/logtypes.json +++ b/src/main/resources/OSMapping/logtypes.json @@ -196,5 +196,14 @@ "tags": { "correlation_id": 23 } + }, + "waf": { + "name": "waf", + "description": "Web Application Firewall based logs", + "category": "Security", + "source": "Sigma", + "tags": { + "correlation_id": 24 + } } } diff --git a/src/main/resources/OSMapping/waf_logtype.json b/src/main/resources/OSMapping/waf_logtype.json new file mode 100644 index 000000000..5eed2c2fb --- /dev/null +++ b/src/main/resources/OSMapping/waf_logtype.json @@ -0,0 +1,55 @@ +{ + "name": "waf", + "description": "Web Application Firewall Log Type", + "is_builtin": true, + "mappings": [ + { + "raw_field":"cs-method", + "ecs":"waf.request.method" + }, + { + "raw_field":"httpRequest.httpMethod", + "ecs":"waf.request.method" + }, + { + "raw_field":"cs-uri-query", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"httpRequest.uri", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"httpRequest.args", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"cs-user-agent", + "ecs":"waf.request.headers.user_agent" + }, + { + "raw_field":"httpRequest.headers", + "ecs":"waf.request.headers" + }, + { + "raw_field":"sc-status", + "ecs":"waf.response.code" + }, + { + "raw_field":"responseCodeSent", + "ecs":"waf.response.code" + }, + { + "raw_field":"timestamp", + "ecs":"timestamp" + }, + { + "raw_field":"httpRequest.headers.value", + "ecs":"waf.request.headers.value" + }, + { + "raw_field":"httpRequest.headers.name", + "ecs":"waf.request.headers.name" + } + ] +} diff --git a/src/main/resources/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml b/src/main/resources/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml new file mode 100644 index 000000000..9629f4555 --- /dev/null +++ b/src/main/resources/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml @@ -0,0 +1,29 @@ +title: Suspicious User-Agents Related To Recon Tools - AWS WAF +id: 19aa4f58-94ca-45ff-bc34-92e533c0994b +status: experimental +description: Detects known suspicious (default) user-agents related to scanning/recon tools +references: + - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb + - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst + - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 +author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton, Sandesh Kumar (Amazon) +date: 2022/07/19 +modified: 2023/09/26 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + waf.request.headers.name: 'User-agent' + waf.request.headers.value|contains: + # Add more tools as you see fit + - 'Wfuzz/' + - 'WPScan v' + - 'Recon-ng/v' + - 'GIS - AppSec Team - Project Vision' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/waf/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml b/src/main/resources/rules/waf/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml new file mode 100644 index 000000000..265f1c119 --- /dev/null +++ b/src/main/resources/rules/waf/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml @@ -0,0 +1,30 @@ +title: Potential CVE-2023-25717 Exploitation Attempt +id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe +status: experimental +description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin +references: + - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/30 +tags: + - attack.initial_access + - attack.t1190 + - cve.2023.25717 + - detection.emerging_threats +logsource: + category: webserver +detection: + selection: + cs-method: 'GET' + cs-uri-query|contains|all: + - '/forms/doLogin' + - 'login_username' + - 'password' + cs-uri-query|contains: + - '$(' + - '%24%28' # URL Encode version of "$(" + condition: selection +falsepositives: + - Vulnerability scanners + - Some rare false positives may occur if the password contains the characters "$(". Apply addition indicators such as executed commands to remove FP +level: high diff --git a/src/main/resources/rules/waf/web_sql_injection_in_access_logs.yml b/src/main/resources/rules/waf/web_sql_injection_in_access_logs.yml new file mode 100644 index 000000000..1f5f84f7b --- /dev/null +++ b/src/main/resources/rules/waf/web_sql_injection_in_access_logs.yml @@ -0,0 +1,60 @@ +title: SQL Injection Strings In URI +id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 +status: test +description: Detects potential SQL injection attempts via GET requests in access logs. +references: + - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/ + - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/ + - https://brightsec.com/blog/sql-injection-payloads/ + - https://github.com/payloadbox/sql-injection-payload-list + - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection +author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) +date: 2020/02/22 +modified: 2023/09/04 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'GET' + keywords: + - '@@version' + - '%271%27%3D%271' + - '=select ' + - '=select(' + - '=select%20' + - 'concat_ws(' + - 'CONCAT(0x' + - 'from mysql.innodb_table_stats' + - 'from%20mysql.innodb_table_stats' + - 'group_concat(' + - 'information_schema.tables' + - 'json_arrayagg(' + - 'or 1=1#' + - 'or%201=1#' + - 'order by ' + - 'order%20by%20' + - 'select * ' + - 'select database()' + - 'select version()' + - 'select%20*%20' + - 'select%20database()' + - 'select%20version()' + - 'select%28sleep%2810%29' + - 'SELECTCHAR(' + - 'table_schema' + - 'UNION ALL SELECT' + - 'UNION SELECT' + - 'UNION%20ALL%20SELECT' + - 'UNION%20SELECT' + - "'1'='1" + filter_main_status: + sc-status: 404 + condition: selection and keywords and not 1 of filter_main_* +falsepositives: + - Java scripts and CSS Files + - User searches in search boxes of the respective website + - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes +level: high diff --git a/src/main/resources/rules/waf/web_susp_useragents.yml b/src/main/resources/rules/waf/web_susp_useragents.yml new file mode 100644 index 000000000..b0887ac4d --- /dev/null +++ b/src/main/resources/rules/waf/web_susp_useragents.yml @@ -0,0 +1,28 @@ +title: Suspicious User-Agents Related To Recon Tools +id: 19aa4f58-94ca-45ff-bc34-92e533c0994a +status: experimental +description: Detects known suspicious (default) user-agents related to scanning/recon tools +references: + - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb + - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst + - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 +author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton +date: 2022/07/19 +modified: 2023/01/02 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-user-agent|contains: + # Add more tools as you see fit + - 'Wfuzz/' + - 'WPScan v' + - 'Recon-ng/v' + - 'GIS - AppSec Team - Project Vision' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/waf/web_xss_in_access_logs.yml b/src/main/resources/rules/waf/web_xss_in_access_logs.yml new file mode 100644 index 000000000..35e3d35bd --- /dev/null +++ b/src/main/resources/rules/waf/web_xss_in_access_logs.yml @@ -0,0 +1,48 @@ +title: Cross Site Scripting Strings +id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 +status: experimental +description: Detects XSS attempts injected via GET requests in access logs +references: + - https://github.com/payloadbox/xss-payload-list + - https://portswigger.net/web-security/cross-site-scripting/contexts +author: Saw Win Naung, Nasreddine Bencherchali +date: 2021/08/15 +modified: 2022/06/14 +tags: + - attack.initial_access + - attack.t1189 +logsource: + category: webserver +detection: + select_method: + cs-method: 'GET' + keywords: + - '=