1type: trigger
2format: 2.0
3name: crowdsecurity/f5-big-ip-cve-2020-5902
4description: "F5 BIG-IP TMUI - RCE (CVE-2020-5902)"
5filter: |
6  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
7    (
8    Upper(evt.Meta.http_path) matches Upper('/tmui/login.jsp/..;/tmui/[^.]+.jsp\\?(fileName|command|directoryPath|tabId)=')
9    or
10    Upper(evt.Meta.http_path) matches Upper('/tmui/login.jsp/%2E%2E;/tmui/[^.]+.jsp\\?(fileName|command|directoryPath|tabId)=')
11    )
12groupby: "evt.Meta.source_ip"
13blackhole: 2m
14labels:
15  confidence: 3
16  spoofable: 0
17  classification:
18    - attack.T1190
19    - attack.T1595
20    - cve.CVE-2020-5902
21  behavior: "http:exploit"
22  label: "F5 BIG-IP TMUI - RCE"
23  remediation: true
24  service: f5
25