Fortinet CVE-2018-13379 Exploitation

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Sigma rule (View on GitHub)

 1title: Fortinet CVE-2018-13379 Exploitation
 2id: a2e97350-4285-43f2-a63f-d0daff291738
 3status: test
 4description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
 5references:
 6    - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
 7author: Bhabesh Raj
 8date: 2020-12-08
 9modified: 2023-01-02
10tags:
11    - attack.initial-access
12    - attack.t1190
13    - cve.2018-13379
14    - detection.emerging-threats
15logsource:
16    category: webserver
17detection:
18    selection:
19        cs-uri-query|contains|all:
20            - 'lang=/../../'
21            - '/dev/cmdb/sslvpn_websession'
22    condition: selection
23fields:
24    - client_ip
25    - url
26    - response
27falsepositives:
28    - Unknown
29level: critical

References

Related rules

to-top