Is your feature request related to a problem?
This issue discusses the addition of waf log group support in Security Analytics plugin. This role will correspond to Web Application Firewall (WAF) use-cases. The role of WAF (Web Application Firewall) is to monitor and filter HTTP traffic between a web application and internet. It is tasked to prevent common security attacks such as cross-site scripting (XSS), SQL Injection (SQi), etc. This new log type is for users that require monitoring for WAF use case out of the box from Security Plugin.
What solution would you like?
Presently, SA plugin supports network log group which has a sub-section firewall which is a group of network firewall related rules. Network firewall provides control over network based traffic based on IP addresses, ports, and protocols, whereas WAF narrows control over HTTP traffic tailored more towards behavior of web applications.
Sigma rules doesn’t has out of the box support for WAF rules explicitly. There are some rules inside proxy_generic and webserver_generic category which upon initial search seems can be filtered for WAF category. So the aim of this discussion is to identify the rules scattered across different categories that fit WAF criteria.
The intent of this discussion is not to dive deep into the role of the WAFs, but to make sure that the important rules that span WAF attacks relevant to SIEM can be identified from existing SIGMA repo.
Major Sigma rules to be added across categories:
- Cross-site / Server-side Request Forgery (CSRF/SSRF): Potential CVE-2023-25717 Exploitation Attempt - Remote Code Execution via an unauthenticated HTTP GET Request (derived from CVE)
- Cross-site-scripting (XSS): Cross Site Scripting Strings
- SQL Injection (SQi): SQL Injection Strings In URI
- Suspicious User Agent: Suspicious User-Agents Related To Recon Tools
- OS Command Injection: CVE-2021-22123 exploitation - attempt against Fortinet WAFs (derived from CVE)
What alternatives have you considered?
Sigma rules are not exhaustive for all WAF use-cases and these can be further improved by introducing more use-cases like rules related to AWS WAF, etc
Do you have any additional context?
Suggestions are welcome from users for more use-cases.
Is your feature request related to a problem?
This issue discusses the addition of
waflog group support in Security Analytics plugin. This role will correspond to Web Application Firewall (WAF) use-cases. The role of WAF (Web Application Firewall) is to monitor and filter HTTP traffic between a web application and internet. It is tasked to prevent common security attacks such as cross-site scripting (XSS), SQL Injection (SQi), etc. This new log type is for users that require monitoring for WAF use case out of the box from Security Plugin.What solution would you like?
Presently, SA plugin supports
networklog group which has a sub-section firewall which is a group of network firewall related rules. Network firewall provides control over network based traffic based on IP addresses, ports, and protocols, whereas WAF narrows control over HTTP traffic tailored more towards behavior of web applications.Sigma rules doesn’t has out of the box support for WAF rules explicitly. There are some rules inside proxy_generic and webserver_generic category which upon initial search seems can be filtered for WAF category. So the aim of this discussion is to identify the rules scattered across different categories that fit WAF criteria.
The intent of this discussion is not to dive deep into the role of the WAFs, but to make sure that the important rules that span WAF attacks relevant to SIEM can be identified from existing SIGMA repo.
Major Sigma rules to be added across categories:
What alternatives have you considered?
Sigma rules are not exhaustive for all WAF use-cases and these can be further improved by introducing more use-cases like rules related to AWS WAF, etc
Do you have any additional context?
Suggestions are welcome from users for more use-cases.