Document toolboxDocument toolbox

Web detections

 

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. One of the ways to detect this kind of attacks ir to monitor the number of slash included in URL.

Source table → web.all.access

Web server request looking for resources related to automatic services (Robots) using different User Agents is considered suspicious behavior.

Source table → web.all.access

Based on a list of names related to files susceptible to contain sensitive information, in this case passwords, possible attempts to access this type of files are monitored.

Source table → web.all.access

A Malware related file is stored in a directory or archive that is made accessible to unauthorized actors.

Source table → web.all.access

Access to suspicious resources, such as so-called webshells, must be monitored. This is done using a list of files broadly used by malware to host malicious services on compromised servers.

Source table → web.all.access