Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
Sigma rule (View on GitHub)
1title: Fortinet CVE-2018-13379 Exploitation
2id: a2e97350-4285-43f2-a63f-d0daff291738
3status: test
4description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
5references:
6 - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
7author: Bhabesh Raj
8date: 2020/12/08
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2018.13379
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-uri-query|contains|all:
20 - 'lang=/../../'
21 - '/dev/cmdb/sslvpn_websession'
22 condition: selection
23fields:
24 - client_ip
25 - url
26 - response
27falsepositives:
28 - Unknown
29level: critical
References
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt