Multiple Modsecurity Blocks
Detects multiple blocks by the mod_security module (Web Application Firewall)
Sigma rule (View on GitHub)
1title: Multiple Modsecurity Blocks
2id: a06eea10-d932-4aa6-8ba9-186df72c8d23
3status: unsupported
4description: Detects multiple blocks by the mod_security module (Web Application Firewall)
5author: Florian Roth (Nextron Systems)
6date: 2017/02/28
7modified: 2023/03/24
8tags:
9 - attack.impact
10 - attack.t1499
11logsource:
12 product: modsecurity
13detection:
14 selection:
15 - 'mod_security: Access denied'
16 - 'ModSecurity: Access denied'
17 - 'mod_security-message: Access denied'
18 timeframe: 120m
19 condition: selection | count() > 6
20falsepositives:
21 - Vulnerability scanners
22 - Frequent attacks if system faces Internet
23level: medium
Related rules
- Suspicious Multiple File Rename Or Delete Occurred
- Vice Society Encrypted File Extension File Creation
- Boot Configuration Database (BCD) Manipulation - Registry Modification
- Use of bcdedit to Disrupt Boot Processes
- WMIC Shadow Copy Deletion