LoFP LoFP / expected to be continuously seen on systems exposed to the internet

Techniques

Sample rules

Path Traversal Exploitation Attempts

Description

Detects path traversal exploitation attempts

Detection logic

condition: selection
selection:
  cs-uri-query|contains:
  - ../../../../../lib/password
  - ../../../../windows/
  - ../../../etc/
  - ..%252f..%252f..%252fetc%252f
  - ..%c0%af..%c0%af..%c0%afetc%c0%af
  - '%252e%252e%252fetc%252f'