Techniques
Sample rules
Cross Site Scripting Strings
- source: sigma
- technicques:
- t1189
Description
Detects XSS attempts injected via GET requests in access logs
Detection logic
condition: select_method and keywords and not filter
filter:
sc-status: 404
keywords:
- =<script>
- =%3Cscript%3E
- =%253Cscript%253E
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- document.cookie
- document.domain
- ' onerror='
- ' onresize='
- ' onload="'
- onmouseover=
- ${alert
- javascript:alert
- javascript%3Aalert
select_method:
cs-method: GET
Server Side Template Injection Strings
- source: sigma
- technicques:
- t1221
Description
Detects SSTI attempts sent via GET requests in access logs
Detection logic
condition: select_method and keywords and not filter
filter:
sc-status: 404
keywords:
- ={{
- =%7B%7B
- =${
- =$%7B
- =<%=
- =%3C%25=
- =@(
- freemarker.template.utility.Execute
- .getClass().forName('javax.script.ScriptEngineManager')
- T(org.apache.commons.io.IOUtils)
select_method:
cs-method: GET
SQL Injection Strings In URI
- source: sigma
- technicques:
- t1190
Description
Detects potential SQL injection attempts via GET requests in access logs.
Detection logic
condition: selection and keywords and not 1 of filter_main_*
filter_main_status:
sc-status: 404
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- =select(
- =select%20
- concat_ws(
- CONCAT(0x
- from mysql.innodb_table_stats
- from%20mysql.innodb_table_stats
- group_concat(
- information_schema.tables
- json_arrayagg(
- or 1=1#
- or%201=1#
- 'order by '
- order%20by%20
- 'select * '
- select database()
- select version()
- select%20*%20
- select%20database()
- select%20version()
- select%28sleep%2810%29
- SELECTCHAR(
- table_schema
- UNION ALL SELECT
- UNION SELECT
- UNION%20ALL%20SELECT
- UNION%20SELECT
- '''1''=''1'
selection:
cs-method: GET