LoFP / false positives are not expected, however, monitor, filter, and tune as needed based on organization log sources.

• T1190

Sample rules

HTTP Duplicated Header

• source: splunk
• technicques:
  • T1071.001
  • T1190

Description

Detects when a request has more than one of the same header. This is commonly used in request smuggling and other web based attacks. HTTP Request Smuggling exploits inconsistencies in how front-end and back-end servers parse HTTP requests by using ambiguous or malformed headers to hide malicious requests within legitimate ones. Attackers leverage duplicate headers, particularly Content-Length and Transfer-Encoding, to cause different servers in the chain to disagree on where one request ends and another begins. RFC7230 states that a sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list or the header field is a well-known exception.

Detection logic

`suricata` http.request_headers{}.name="*" 
| rename dest_ip as dest 
| spath path=http.request_headers{}.name output=header_names 
| mvexpand header_names 
| where lower(header_names) != "set-cookie" 
| stats count by _raw, header_names, src_ip, dest 
| where count > 1 
| stats values(header_names) as duplicate_headers by _raw, count, src_ip, dest 
| `http_duplicated_header_filter`

HTTP Possible Request Smuggling

• source: splunk
• technicques:
  • T1071.001

Description

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. This detection identifies a common request smuggling technique of using both Content-Length and Transfer-Encoding headers to cause a parsing confusion between the frontend and backend.

Detection logic

`suricata` (http.request_headers{}.name="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="*Transfer-Encoding*") OR (http.request_headers{}.value="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="0") 
| rename dest_ip as dest 
| rex field=_raw "request_headers.:\[(?<headers>.*)\]" 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, dest_port, src_ip, http.url, http.http_method, http.http_user_agent, http.protocol, http.status, headers 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `http_possible_request_smuggling_filter`

JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199

• source: splunk
• technicques:
  • T1190

Description

The following analytic identifies attempts to exploit CVE-2024-27199, a critical vulnerability in JetBrains TeamCity web server, allowing unauthenticated access to specific endpoints. It detects unusual access patterns to vulnerable paths such as /res/, /update/, and /.well-known/acme-challenge/ by monitoring HTTP traffic logs via Suricata. This activity is significant as it could indicate an attacker bypassing authentication to access or modify system settings. If confirmed malicious, this could lead to unauthorized changes, disclosure of sensitive information, or uploading of malicious certificates, severely compromising the server’s security.

Detection logic

`suricata` http.url IN ("*../admin/diagnostic.jsp*", "*../app/https/settings/*", "*../app/pipeline*", "*../app/oauth/space/createBuild.html*", "*../res/*", "*../update/*", "*../.well-known/acme-challenge/*", "*../app/availableRunners*", "*../app/https/settings/setPort*", "*../app/https/settings/certificateInfo*", "*../app/https/settings/defaultHttpsPort*", "*../app/https/settings/fetchFromAcme*", "*../app/https/settings/removeCertificate*", "*../app/https/settings/uploadCertificate*", "*../app/https/settings/termsOfService*", "*../app/https/settings/triggerAcmeChallenge*", "*../app/https/settings/cancelAcmeChallenge*", "*../app/https/settings/getAcmeOrder*", "*../app/https/settings/setRedirectStrategy*") http.status=200 http_method=GET 
| stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, http.url, http.status, http_method 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199_filter`