Anomaly detection for Spring framework

calendar Sep 17, 2020  ยท
Share on: linkedin copy

Detecting suspicious log events which lead to potential security threats

Sigma rule (View on GitHub)

 1title: Anomaly detection for Spring framework
 2id: dc3e2af8-b579-4937-9312-fda8f8bffc45
 3status: experimental
 4description: Detecting suspicious log events which lead to potential security threats
 5author: Loginsoft Research Unit
 6references:
 7    - Internal Research
 8date: 2020/09/17
 9logsource:
10  product: Spring
11  category: application
12detection:
13    keywords:
14      - 'Cannot access Collection of type [*] - injecting original Collection as-is'
15      - 'Failed to parse selector:'
16      -  SQL error codes for '*' not found
17      - 'Schema resource [*] not found - falling back to XML parsing without schema validation'
18      - 'XStreamMarshaller does not support unmarshalling using SAX XMLReaders'
19      - 'Class not found during deserialization'
20      - 'Failed to parse formatted value'
21      - 'Failed to execute SQL script statement at line * of resource *:'
22      - 'Locale value \"*\" contains invalid characters'
23      - 'Not allowed to accept serialized proxy classes'
24      - 'Locale part \"*\" contains invalid characters'
25      - SQL error codes for '*' not found
26      - 'Ignoring invalid resource path [*]'
27      - 'Session not found for session with id'
28      - 'Failed to get javax.websocket.server.ServerContainer via ServletContext attribute'
29      - 'Sending Method Not Allowed (405)'
30      - 'Failed to evaluate deserialization for type:'
31      - 'Failed to evaluate serialization for type:'
32      - 'Failed to close connection:'
33      - 'Failed to parse WebSocket message to STOMP frame(s)'
34      - 'Failed to calculate hash for resource [*]'
35      - 'Either server or session contains a \".\" which is not allowed by SockJS protocol'
36      - 'Handshake failed due to invalid * header'
37      - 'Unsupported Type class:'
38      - 'Could not rollback Session after failed transaction begin'
39      - 'is not a valid exposed header value'
40      - 'Failed to render script template'
41      - 'Parse attempt failed for value [*]'
42      - 'Failed to read JMSDestination property - skipping'
43      -  Failed to evaluate 'java.class.path' manifest entries
44      - Failed to serialize cache value '*'. Does it implement Serializable?
45      - 'Failed to obtain Resource content length'
46      - 'Could not resolve beans DTD [*]: not found in classpath'
47      - 'Failed to get SSL certificates'
48      - 'Cannot validate individual value for'
49      - 'Unexpected OverflowStrategy:'
50      - 'Unsupported suspending handler method detected:'
51    condition: keywords
52falsepositives:
53  - Unknown
54level: high```

References

to-top