Multiple Suspicious Resp Codes Caused by Single Client

Apr 21, 2023 · attack.initial_access attack.t1190 ·

Detects possible exploitation activity or bugs in a web application

Sigma rule (View on GitHub)

 1title: Multiple Suspicious Resp Codes Caused by Single Client
 2id: 6fdfc796-06b3-46e8-af08-58f3505318af
 3status: unsupported
 4description: Detects possible exploitation activity or bugs in a web application
 5author: Thomas Patzke
 6date: 2017/02/19
 7modified: 2023/03/24
 8tags:
 9    - attack.initial_access
10    - attack.t1190
11logsource:
12    category: webserver
13detection:
14    selection:
15        sc-status:
16            - 400
17            - 401
18            - 403
19            - 500
20    timeframe: 10m
21    condition: selection | count() by clientip > 10
22fields:
23    - client_ip
24    - vhost
25    - url
26    - response
27falsepositives:
28    - Unstable application
29    - Application that misuses the response codes
30level: medium

Related rules

OMIGOD SCX RunAsProvider ExecuteScript
Disabled Users Failing To Authenticate From Source Using Kerberos
Invalid Users Failing To Authenticate From Single Source Using NTLM
Invalid Users Failing To Authenticate From Source Using Kerberos
Multiple Users Failing to Authenticate from Single Process