Skip to content

Commit 59dba87

Browse files
AegrahAegrah
authored
Update variable names to use consistent casing
1 parent d5d9541 commit 59dba87

File tree

1 file changed

+15
-15
lines changed

1 file changed

+15
-15
lines changed

rules/cross-platform/persistence_web_server_potential_command_injection.toml

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -50,20 +50,20 @@ from
5050
@timestamp > now() - 1d and
5151
(url.original is not null or url.full is not null)
5252
53-
| eval esql_url_text = case(url.original is not null, url.original, url.full)
54-
| eval esql_url_lower = to_lower(esql_url_text)
55-
56-
| eval contains_interpreter = case(esql_url_lower like "*python* -c*" or esql_url_lower like "*perl* -e*" or esql_url_lower like "*ruby* -e*" or esql_url_lower like "*ruby* -rsocket*" or esql_url_lower like "*lua* -e*" or esql_url_lower like "*php* -r*" or esql_url_lower like "*node* -e*", 1, 0)
57-
| eval contains_shell = case(esql_url_lower like "*/bin/bash*" or esql_url_lower like "*bash*-c*" or esql_url_lower like "*/bin/sh*" or esql_url_lower rlike "*sh.{1,2}-c*", 1, 0)
58-
| eval contains_nc = case(esql_url_lower like "*netcat*" or esql_url_lower like "*ncat*" or esql_url_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or esql_url_lower like "*nc.openbsd*" or esql_url_lower like "*nc.traditional*" or esql_url_lower like "*socat*", 1, 0)
59-
| eval contains_devtcp = case(esql_url_lower like "*/dev/tcp/*" or esql_url_lower like "*/dev/udp/*", 1, 0)
60-
| eval contains_helpers = case(esql_url_lower like "*mkfifo*" or esql_url_lower like "*nohup*" or esql_url_lower like "*setsid*" or esql_url_lower like "*busybox*", 1, 0)
61-
| eval contains_sus_cli = case(esql_url_lower like "*import*pty*spawn*" or esql_url_lower like "*import*subprocess*call*" or esql_url_lower like "*tcpsocket.new*" or esql_url_lower like "*tcpsocket.open*" or esql_url_lower like "*io.popen*" or esql_url_lower like "*os.execute*" or esql_url_lower like "*fsockopen*", 1, 0)
62-
| eval contains_privileges = case(esql_url_lower like "*chmod*" or esql_url_lower like "*chown*", 1, 0)
63-
| eval contains_downloader = case(esql_url_lower like "*curl *" or esql_url_lower like "*wget *" , 1, 0)
64-
| eval contains_file_read_keywords = case(esql_url_lower like "*/etc/shadow*" or esql_url_lower like "*/etc/passwd*" or esql_url_lower like "*/root/.ssh/*" or esql_url_lower like "*/home/*/.ssh/*" or esql_url_lower like "*~/.ssh/*" or esql_url_lower like "*/proc/self/environ*", 1, 0)
65-
| eval contains_base64_cmd = case(esql_url_lower like "*base64*-d*" or esql_url_lower like "*xxd*" or esql_url_lower like "*echo*|*base64*", 1, 0)
66-
| eval contains_suspicious_path = case(esql_url_lower like "*/tmp/*" or esql_url_lower like "*/var/tmp/*" or esql_url_lower like "*/dev/shm/*" or esql_url_lower like "*/root/*" or esql_url_lower like "*/home/*/*" or esql_url_lower like "*/var/www/*" or esql_url_lower like "*/etc/cron.*/*", 1, 0)
53+
| eval Esql_url_text = case(url.original is not null, url.original, url.full)
54+
| eval Esql_url_lower = to_lower(Esql_url_text)
55+
56+
| eval contains_interpreter = case(Esql_url_lower like "*python* -c*" or Esql_url_lower like "*perl* -e*" or Esql_url_lower like "*ruby* -e*" or Esql_url_lower like "*ruby* -rsocket*" or Esql_url_lower like "*lua* -e*" or Esql_url_lower like "*php* -r*" or Esql_url_lower like "*node* -e*", 1, 0)
57+
| eval contains_shell = case(Esql_url_lower like "*/bin/bash*" or Esql_url_lower like "*bash*-c*" or Esql_url_lower like "*/bin/sh*" or Esql_url_lower rlike "*sh.{1,2}-c*", 1, 0)
58+
| eval contains_nc = case(Esql_url_lower like "*netcat*" or Esql_url_lower like "*ncat*" or Esql_url_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or Esql_url_lower like "*nc.openbsd*" or Esql_url_lower like "*nc.traditional*" or Esql_url_lower like "*socat*", 1, 0)
59+
| eval contains_devtcp = case(Esql_url_lower like "*/dev/tcp/*" or Esql_url_lower like "*/dev/udp/*", 1, 0)
60+
| eval contains_helpers = case(Esql_url_lower like "*mkfifo*" or Esql_url_lower like "*nohup*" or Esql_url_lower like "*setsid*" or Esql_url_lower like "*busybox*", 1, 0)
61+
| eval contains_sus_cli = case(Esql_url_lower like "*import*pty*spawn*" or Esql_url_lower like "*import*subprocess*call*" or Esql_url_lower like "*tcpsocket.new*" or Esql_url_lower like "*tcpsocket.open*" or Esql_url_lower like "*io.popen*" or Esql_url_lower like "*os.execute*" or Esql_url_lower like "*fsockopen*", 1, 0)
62+
| eval contains_privileges = case(Esql_url_lower like "*chmod*" or Esql_url_lower like "*chown*", 1, 0)
63+
| eval contains_downloader = case(Esql_url_lower like "*curl *" or Esql_url_lower like "*wget *" , 1, 0)
64+
| eval contains_file_read_keywords = case(Esql_url_lower like "*/etc/shadow*" or Esql_url_lower like "*/etc/passwd*" or Esql_url_lower like "*/root/.ssh/*" or Esql_url_lower like "*/home/*/.ssh/*" or Esql_url_lower like "*~/.ssh/*" or Esql_url_lower like "*/proc/self/environ*", 1, 0)
65+
| eval contains_base64_cmd = case(Esql_url_lower like "*base64*-d*" or Esql_url_lower like "*xxd*" or Esql_url_lower like "*echo*|*base64*", 1, 0)
66+
| eval contains_suspicious_path = case(Esql_url_lower like "*/tmp/*" or Esql_url_lower like "*/var/tmp/*" or Esql_url_lower like "*/dev/shm/*" or Esql_url_lower like "*/root/*" or Esql_url_lower like "*/home/*/*" or Esql_url_lower like "*/var/www/*" or Esql_url_lower like "*/etc/cron.*/*", 1, 0)
6767
6868
| eval any_payload_keyword = case(
6969
contains_interpreter == 1 or contains_shell == 1 or contains_nc == 1 or contains_devtcp == 1 or
@@ -72,7 +72,7 @@ from
7272
7373
| keep
7474
@timestamp,
75-
esql_url_lower,
75+
Esql_url_lower,
7676
any_payload_keyword,
7777
contains_interpreter,
7878
contains_shell,

0 commit comments

Comments
 (0)