-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSlowlorisDetection
42 lines (40 loc) · 1.56 KB
/
SlowlorisDetection
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
id: ae0613f0-a72a-4539-8419-5db37d94a8c7
name: Several deny actions registered
description: |
Attackers are trying to impact your envionment by leveraging a distributed denial of service attack,
the following rule is looking for DDOS patterns similar to SlowLoris attack , Slowloris is an application
layer DDoS attack which uses partial HTTP requests to open connections between a single computer and a targeted Web server,
then keeping those connections open for as long as possible, thus overwhelming and slowing down the target.
This type of DDoS attack requires minimal bandwidth to launch and only impacts the target web server, leaving
other services and ports unaffected. Slowloris DDoS attacks can target many type of Web server software, but has proven highly-effective against Apache 1.x and 2.x.
severity: Medium
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
queryFrequency: 5min
queryPeriod: 5 min
triggerOperator: gt
triggerThreshold: 500
tactics:
- CommandAndControl
relevantTechniques:
- T1046
- T1041
- T1071
query: |
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where OperationName == "AzureFirewallIDSLog"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestIP ":" DestPort "." Action "." SignatureID "." Message
| where SignatureID contains "2012870"
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: HOST
fieldMappings:
- identifier: HostName
columnName: ClientIP_s
version: 1.0.0