updated BBR

Author: terrancedejesus

rules/network/initial_access_react_server_components_rce_attempt.toml

@@ -10,8 +10,8 @@ description = """
 This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in
 React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the
 server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the
-Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful
-command execution responses and prototype pollution attack patterns.
+Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful command
+execution responses and prototype pollution attack patterns.
 """
 from = "now-9m"
 index = ["logs-network_traffic.http*"]
@@ -51,7 +51,7 @@ references = [
     "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182",
     "https://github.com/assetnote/react2shell-scanner",
     "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/",
-    "https://github.com/msanft/CVE-2025-55182"
+    "https://github.com/msanft/CVE-2025-55182",
 ]
 risk_score = 73
 rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f"

rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml

@@ -10,12 +10,12 @@ building_block_type = "default"
 description = """
 This rule detects anomalous patterns in React Server Components (RSC) Flight protocol data streams that may indicate
 code injection or exploitation attempts. The Flight protocol is used by React and Next.js for server-client
-communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or
-eval patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further
-investigation.
+communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or eval
+patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further investigation.
 """
-from = "now-9m"
+from = "now-119m"
 index = ["logs-network_traffic.http*"]
+interval = "60m"
 language = "eql"
 license = "Elastic License v2"
 name = "Anomalous React Server Components Flight Data Patterns"
@@ -25,7 +25,7 @@ references = [
     "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182",
     "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/",
     "https://nextjs.org/docs/app/building-your-application/rendering/server-components",
-    "https://tonyalicea.dev/blog/understanding-react-server-components/"
+    "https://tonyalicea.dev/blog/understanding-react-server-components/",
 ]
 risk_score = 21
 rule_id = "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e"
@@ -44,7 +44,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-network where http.request.method == "POST" and http.response.status_code != 200
+network where http.request.method == "POST" and http.response.status_code != 200 and
 (
     // Node.js child_process module
     (
@@ -97,7 +97,6 @@ reference = "https://attack.mitre.org/techniques/T1190/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -110,7 +109,9 @@ name = "JavaScript"
 reference = "https://attack.mitre.org/techniques/T1059/007/"
 
 
+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+