Anomaly detection for wildfly

calendar Aug 21, 2020  ยท
Share on: linkedin copy

Detecting suspicious log events which lead to potential security threats

Sigma rule (View on GitHub)

 1title: Anomaly detection for wildfly
 2id: a3d39ccf-57f2-4662-8632-34ba483ea260
 3status: experimental
 4description: Detecting suspicious log events which lead to potential security threats
 5author: Loginsoft Research Unit
 6references:
 7    - Internal Research
 8date: 2020/08/12
 9logsource:
10  product: wildfly
11  category: webserver
12detection:
13    keywords:
14      - 'SSL support has been enabled but no security domain or client/server SSL contexts have been specified'
15      - 'Invalid IOR or URL:'
16      - '*: unescaped \\ at end of component'
17      - 'Invalid * URL:'
18      - 'Could not create redirect URI'
19      - 'A valid JNDI name must be provided:'
20      - 'Unable to transform URL binding value'
21      - 'Bad type for parameter at *. Expected *, but was'
22      - 'Failed to parse service xml [*]'
23      - 'Rejecting call because it is not part of any XTS transaction'
24      - 'Cannot get transaction status on handling context'
25      - 'Malformed URL provided for option'
26      - 'Failed to parse * at [*,*]'
27      - 'Failed to parse *'
28      - 'Failed to destroy component instance'
29      - 'Failed to locate executor service'
30      - 'Failed to construct component instance'
31      - 'attempt to add a Permission to a readonly PermissionCollection'
32      - 'Shutting down process controller'
33      - Cannot resolve com.mysq.jdbc.ReplicationConnection.ping method. Will use 'SELECT 1' instead
34      - persistence unit name (*) contains illegal '/' character
35      - 'Setting security roles:'
36      - 'Invalid User'
37      - 'Unable to find closing quote for'
38      - 'Failed to create instance'
39      - 'duplicate pk sql:'
40      - 'plugin * requires root permissions to execute, skipping'
41      - 'Failed to init SSLContext'
42      - 'Failed to get SSLContext for TLS algorithm'
43      - 'Missing mandatory part of JASPI configuration in the security domain'
44      - 'Failed to verify password in JAAS callbackhandler'
45      - 'Authorization failed'
46      - 'only string password accepted'
47    condition: keywords
48falsepositives:
49  - Unknown
50level: high```

References

to-top