Hub configuration

More info

pulse-secure-sslvpn-cve-2019-11510 Scenario

« pulse-secure-sslvpn-cve-2019-11510 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:pulse-securespoofable:0MITRE:T1190confidence:3

Detect cve-2019-11510 exploitation attemps

Installation

cscli scenarios install crowdsecurity/pulse-secure-sslvpn-cve-2019-11510

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/pulse-secure-sslvpn-cve-2019-11510
4description: "Detect cve-2019-11510 exploitation attemps"
5filter: |
6  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
7    (Upper(evt.Meta.http_path) matches Upper('/dana-na/../dana/html5acc/guacamole/../../../../../../../[^?]+\\?/dana/html5acc/guacamole/')
8    or
9    Upper(evt.Meta.http_path) matches Upper('/dana-na/%2E%2E/dana/html5acc/guacamole/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/[^?]+\\?/dana/html5acc/guacamole/'))
10groupby: "evt.Meta.source_ip"
11blackhole: 2m
12labels:
13  remediation: true
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1190
18    - cve.CVE-2019-11510
19  behavior: "http:exploit"
20  label: "Pulse Secure CVE-2019-11510"
21  service: pulse-secure
22

Hub configuration

« pulse-secure-sslvpn-cve-2019-11510 »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:pulse-secureCVE-2019-11510spoofable:0MITRE:T1190confidence:3

« pulse-secure-sslvpn-cve-2019-11510 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:pulse-securespoofable:0MITRE:T1190confidence:3