|
41 | 41 | logs-apache.access-*, |
42 | 42 | logs-apache_tomcat.access-*, |
43 | 43 | logs-iis.access-* |
| 44 | +
|
| 45 | +| eval Esql.user_agent_original_lower = to_lower(user_agent.original) |
| 46 | +
|
44 | 47 | | where |
45 | 48 | (url.original is not null or url.full is not null) and |
46 | 49 | ( |
47 | | - user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" or // Nikto |
48 | | - user_agent.original like "nikto*" or // Nikto |
49 | | - user_agent.original like "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" or // Nessus |
50 | | - user_agent.original like "sqlmap/*" or // SQLMap |
51 | | - user_agent.original like "WPScan *" or // WPScan |
52 | | - user_agent.original like "feroxbuster/*" or // Feroxbuster |
53 | | - user_agent.original like "masscan*" or // Masscan & masscan-ng |
54 | | - user_agent.original like "Fuzz*" or // Ffuf |
55 | | - user_agent.original like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/user_agent.original like~ 87.0.4280.88 Safari/537.36" or // Dirsearch |
56 | | - user_agent.original like "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" or // Dirb |
57 | | - user_agent.original like "DirBuster*" or // Dirbuster |
58 | | - user_agent.original like "gobuster/*" or // Gobuster |
59 | | - user_agent.original like "*nmap*" or // Nmap Scripting Engine |
60 | | - user_agent.original like "*hydra*" or // Hydra Brute Forcer |
61 | | - user_agent.original like "*w3af*" or // w3af Web Application Attack and Audit Framework |
62 | | - user_agent.original like "*Arachni*" or // Arachni Web Application Security Scanner |
63 | | - user_agent.original like "*Skipfish*" or // Skipfish Web Application Security Scanner |
64 | | - user_agent.original like "*OpenVAS*" or // OpenVAS Vulnerability Scanner |
65 | | - user_agent.original like "*Acunetix*" or // Acunetix Vulnerability Scanner |
66 | | - user_agent.original like "*Nessus*" or // Nessus Vulnerability Scanner |
67 | | - user_agent.original like "*dirsearch*" or // dirsearch |
68 | | - user_agent.original like "*ZAP*" or // OWASP ZAP |
69 | | - user_agent.original like "*Burp*" // Burp Suite |
| 50 | + Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto |
| 51 | + Esql.user_agent_original_lower like "nikto*" or // Nikto |
| 52 | + Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner |
| 53 | + Esql.user_agent_original_lower like "*nessus*" or // Nessus Vulnerability Scanner |
| 54 | + Esql.user_agent_original_lower like "sqlmap/*" or // SQLMap |
| 55 | + Esql.user_agent_original_lower like "wpscan*" or // WPScan |
| 56 | + Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster |
| 57 | + Esql.user_agent_original_lower like "masscan*" or // Masscan & masscan-ng |
| 58 | + Esql.user_agent_original_lower like "fuzz*" or // Ffuf |
| 59 | + Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch |
| 60 | + Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb |
| 61 | + Esql.user_agent_original_lower like "dirbuster*" or // Dirbuster |
| 62 | + Esql.user_agent_original_lower like "gobuster/*" or // Gobuster |
| 63 | + Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch |
| 64 | + Esql.user_agent_original_lower like "*nmap*" or // Nmap Scripting Engine |
| 65 | + Esql.user_agent_original_lower like "*hydra*" or // Hydra Brute Forcer |
| 66 | + Esql.user_agent_original_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework |
| 67 | + Esql.user_agent_original_lower like "*arachni*" or // Arachni Web Application Security Scanner |
| 68 | + Esql.user_agent_original_lower like "*skipfish*" or // Skipfish Web Application Security Scanner |
| 69 | + Esql.user_agent_original_lower like "*openvas*" or // OpenVAS Vulnerability Scanner |
| 70 | + Esql.user_agent_original_lower like "*acunetix*" or // Acunetix Vulnerability Scanner |
| 71 | + Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP |
| 72 | + Esql.user_agent_original_lower like "*burp*" // Burp Suite |
70 | 73 | ) |
71 | 74 |
|
72 | 75 | | eval Esql.url_text = case(url.original is not null, url.original, url.full) |
|
79 | 82 | source.ip, |
80 | 83 | agent.id, |
81 | 84 | host.name, |
82 | | - Esql.url_lower |
| 85 | + Esql.url_lower, |
| 86 | + Esql.user_agent_original_lower |
83 | 87 | | stats |
84 | 88 | Esql.event_count = count(), |
85 | 89 | Esql.url_path_count_distinct = count_distinct(Esql.url_lower), |
86 | 90 | Esql.host_name_values = values(host.name), |
87 | 91 | Esql.agent_id_values = values(agent.id), |
88 | 92 | Esql.url_path_values = values(Esql.url_lower), |
89 | | - Esql.user_agent_original_values = values(user_agent.original), |
| 93 | + Esql.user_agent_original_values = values(Esql.user_agent_original_lower), |
90 | 94 | Esql.event_dataset_values = values(event.dataset) |
91 | 95 | by source.ip, agent.id |
92 | 96 | | where |
93 | 97 | Esql.event_count > 50 and Esql.url_path_count_distinct > 10 |
94 | | -| limit 100 |
95 | 98 | ''' |
96 | 99 |
|
97 | 100 | [[rule.threat]] |
|
0 commit comments