Anomaly detection for Apache Tomcat

calendar Aug 21, 2020  ยท
Share on: linkedin copy

Detecting suspicious error log events which lead to potential security threats

Sigma rule (View on GitHub)

 1title: Anomaly detection for Apache Tomcat
 2id: c7d39dfd-e48b-4cb1-81c6-30b4db01e619
 3status: experimental
 4description: Detecting suspicious error log events which lead to potential security threats
 5references:
 6  - Internal Research
 7author: Loginsoft Research Unit 
 8date: 2020/07/21
 9logsource:
10  product: Tomcat
11  category: webserver
12detection:
13  keywords:
14    - '[*] could not be completely deleted. The presence of the remaining files may cause problems'
15    - 'Overflow error for buffer adding [*] bytes at position [*]'
16    - 'Failed to trigger creation of the GC Daemon thread during Tomcat start to prevent possible memory leaks. This is expected on non-Sun JVMs'
17    - Can't load server.xml from
18    - 'Secure renegotation is not supported by the SSL library'
19    - 'Restricted class'
20    - 'Invalid method resource injection annotation'
21    - 'Illegal JAR entry detected with name'
22    - 'Unable to validate JAR entry with name'
23    - 'The archive [*] is malformed and will be ignored: an entry contains an illegal path [*] which was not expanded to [*] since that is outside of the defined docBase [*] * consider BASE64 encoding your value'
24    - 'Security Violation, attempt to use Restricted Class:'
25    - 'Buffer overflow, no sink'
26    - 'Overflow'
27    - 'Unable to load server configuration from [*]'
28    - 'Unable to determine umask. It appears Tomcat is running on Windows so skip the umask check'
29    - 'Failed to parse value [*] as a valid umask'
30    - 'Error using configured location for generated Tomcat embedded code [*]'
31    - 'No umask setting was found in system property [*]. However, it appears Tomcat is running on a platform that supports umask. The system property is typically set in CATALINA_HOME/bin/catalina.sh. The Lifecycle listener org.apache.catalina.security.SecurityListener (usually configured in CATALINA_BASE/conf/server.xml) expects a umask at least as restrictive as [*]'
32    - 'IntrospectionUtils: SecurityException for * ='
33    - 'Restricted (ContainerServlet)'
34    - 'A WebSocket text frame was received that could not be decoded to UTF-8 because it contained invalid byte sequences'
35    - '[*] not a valid class name for a HostnameVerifier'
36    - '[*] not a valid class name for an SSLSocketFactory'
37    - 'An invalid value [*] was specified for the anti click-jacking header'
38    - 'Calling hasUserDataPermission()'
39    - 'Anti locking context[*] setting docBase to'
40    - 'CORS Preflight request bypassing authentication'
41    - 'Class * is not implementing java.security.Principal! Class not added.'
42    - 'An expanded directory [*] was found with a last modified time that did not match the associated WAR. It will be deleted'
43    - 'Unable to retrieve method [*] for resource [*] in container [*] so no cleanup was performed for that resource'
44    - 'WebappClassLoader.findClassInternal(*) security exception:'
45    - 'FAIL - Invalid context path * was specified'
46    - 'FAIL - No context exists for path'
47    - 'Unable to wrap data, invalid status [*]'
48    - 'Rejecting request for *, session * with no CSRF nonce found in request'
49    - 'Skipping CSRF nonce-check for GET request to entry point'
50    - 'Unable to unwrap data, invalid status [*]'
51    - 'Suspicious URL pattern: [*] in context [*], see sections 12.1 and 12.2 of the Servlet specification'
52    - 'Buffer overflow and no sink is set, limit [*] and buffer length [*]'
53    - 'error for buffer adding [*] bytes at position [*]'
54  condition: keywords
55falsepositives:
56  - Unknown
57level: high```

References

to-top