sourcetype=”apache:access” http_method=POST request=”*{ :;};*” OR request=”*/bin/*” A very simple query to detect attempts at running Linux commands on an Apache web server. The POST http request is where the command is injected. By searching the “request” field for tell tale signs of the attempt you can understand when and where the attack is occurring […]