Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

IIS: Indicators of directory traversal, RFI and LFI

IIS

Description

Submitted by Ronald (Access42)

The following shows IoC for directory traversal, RFI and LFI within IIS logging:
3 0 
index=* sourcetype="ms:iis:default"NOT ("cookie.js" OR "script.js") AND (referer="-" OR referer="") AND (uri_query="*passwd*" OR uri_query="*cmd*" OR uri_query="*%00*" OR uri_query="*.txt*")|table _time, clientip, status, uri_query

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom