Skip to content

[Rule: New] Potential Web Server Fuzzing Attempts Detected #4720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Rule: New] Potential Web Server Fuzzing Attempts Detected #4720

wants to merge 1 commit into from

Conversation

@MakoWish
Copy link
Contributor

Pull Request

Issue link(s):

Summary

This rule attempts to detect potential fuzzing attempts against web servers. Fuzzing is a malicious attempt to find misconfigurations, local file inclusions, directory traversal, or other vulnerabilities in a web service. These attempts typically generate numerous error status codes (403, 404, etc.), so this rule looks for a sequence of these status codes from the same source IP to the same destination IP.

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@botelastic
Copy link

botelastic bot commented Jul 11, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Jul 11, 2025
@w0rk3r w0rk3r added the backlog label Jul 16, 2025
@botelastic botelastic bot removed the stale 60 days of inactivity label Jul 16, 2025
@Aegrah Aegrah self-assigned this Oct 10, 2025
@Aegrah
Copy link
Contributor

Aegrah commented Oct 10, 2025

Hi @MakoWish, thanks for the issue. I am currently looking into several web-server-based detection, and was wondering about the additional integrations that you added to the rule. You listed:

"network_traffic", "azure", "apm", "apache", "cisco_ftd", "iis", "microsoft_exchange_server"

I know that network_traffic, apache and iis indeed are compatible with the http.response.status_code field. Are you sure that the others are as well?

Also, if possible, it would help me out a lot to get a redacted event for the other data sources, so that I can make sure that the rules I write are compatible. E.g.:

The following fields can be used across integrations:

  • user_agent.original
  • url.path
  • http.response.status_code
  • http.request.method --> caveat: not always populated

For URL-specific detections:

  • url.original: Apache, IIS, Nginx
  • url.full: NPC

If I can make the list of confirmed compatible integrations longer, I can make the rules more broadly compatible. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Aegrah Aegrah

Labels

backlog backport: auto community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MakoWish @Aegrah @w0rk3r