OpenCanary - HTTP POST Login Attempt
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
Sigma rule (View on GitHub)
1title: OpenCanary - HTTP POST Login Attempt
2id: af1ac430-df6b-4b38-b976-0b52f07a0252
3status: experimental
4description: |
5 Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
6references:
7 - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
8 - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
9author: Security Onion Solutions
10date: 2024/03/08
11tags:
12 - attack.initial_access
13 - attack.t1190
14logsource:
15 category: application
16 product: opencanary
17detection:
18 selection:
19 logtype: 3001
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
-
Configuration Since we have many services, and each service has a few options, we have listed them all for you. Services Configuration We have gone ahead and listed all the services by their config...
Read More -
Modular and decentralised honeypot. Contribute to thinkst/opencanary development by creating an account on GitHub.
Read More
Related rules
- OpenCanary - FTP Login Attempt
- OpenCanary - HTTP GET Request
- Suspicious Child Process Of SQL Server
- OWASSRF Exploitation Attempt Using Public POC - Proxy
- OWASSRF Exploitation Attempt Using Public POC - Webserver