Anomaly detection for Apache Tomcat

 1title: Anomaly detection for Apache Tomcat
 2id: e65d67af-644d-4f8f-ac70-d71a1f9f80ff
 3status: experimental
 4description: Detecting suspicious error log events which lead to potential security threats
 5references:
 6  - Internal Research
 7author: Loginsoft Research Unit 
 8date: 2020/07/21
 9logsource:
10  product: Tomcat
11  category: webserver
12detection:
13  keywords:
14    - 'Suspicious url pattern: \"*\" in context [*] - see section SRV.11.2 of the Servlet specification'
15    - 'The war name [*] is invalid. The archive will be ignored'
16    - 'Failed authenticate() test ??'
17    - 'XML parsing error on file [*]: (line [*], col [*])'
18    - 'Unable to determine canonical name of file [*] specified for use with sendfile'
19    - 'Sendfile configured to send more data than was available'
20    - 'Exception in thread \"*\" java.lang.IllegalArgumentException'
21    - 'Failed authenticate() test'
22    - 'It is not allowed to configure supportsCredentials=[true] when allowedOrigins=[*]'
23    - 'Decoded command line arguments [*] do not match the configured cmdLineArgumentsDecoded pattern [*]'
24    - 'Calling hasUserDataPermission()'
25    - 'Checking for all roles mode:'
26    - 'Connection [*], Stream [*], Unknown pseudo header [*] received'
27    - 'Invalid escape character in cookie value'
28    - 'Unable to determine the canonical name of the file [*] specified to be used with sendfile'
29    - 'Suspicious url pattern: \"*\" in context [*] - see sections 12.1 and 12.2 of the Servlet specification'
30    - 'Error loading XML from file [*]'
31    - 'Security Violation, attempt to use Restricted Class:'
32    - 'Access to class [*] is forbidden. It is a restricted class (implements ContainerServlet interface). A web application must be configured as privileged to be able to load it'
33    - 'The decoded command line argument [*] did not match the configured cmdLineArgumentsDecoded pattern [*]'
34  condition: keywords
35falsepositives:
36  - Unknown
37level: critical```