Bitrix Rules for Wazuh

Небольшой набор правил для SIEM Wazuh, направленных для мониторинг попыток эксплуатации уязвимостей Битрикса, описанных в данном райтапе: https://github.com/cr1f/writeups/blob/main/attacking_bitrix.pdf

Пример обработки логов

1. html_editor_action.php

Exploit:

Лог:

Apr 11 11:11:11 bitrix nginx: 99.99.99.33 - - [11/Apr/2024:11:11:11 +0400 - 0.067] 200 "POST /bitrix/tools/html_editor_action.php HTTP/2.0" 6436 "https://bitrix.bitrix/bitrix/components/bitrix/map.yandex.search/settings/settings.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36" "-"

Результат:

2. vote/uf.php:

Exploit:

Лог:

Apr  1 11:11:11 bitrix nginx: 77.77.206.77 - - [01/Apr/2024:11:11:11 +0400 - 0.070] 404 "POST /bitrix/tools/vote/uf.php?attachId[ENTITY_TYPE]=CFileUploader&attachId[ENTITY_ID][events][onFileIsStarted][]=CAllAgent&attachId[ENTITY_ID][events][onFileIsStarted][]=Update&attachId[MODULE_ID]=vote&action=vote HTTP/1.1" 6866 "https://bitrix.bitrix.ru/bitrix/tools/composite_data.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2702.93 Safari/537.36" "-"

Результат:

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
README.md		README.md
bitrix.png		bitrix.png
bitrix1.png		bitrix1.png
bitrix2.png		bitrix2.png
bitrix3.png		bitrix3.png
bitrix4.png		bitrix4.png
local_rules.xml		local_rules.xml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Bitrix Rules for Wazuh

Пример обработки логов

About

tread-lightly/Bitrix_rules_for_Wazuh

Folders and files

Latest commit

History

Repository files navigation

Bitrix Rules for Wazuh

Пример обработки логов

About

Topics

Resources

Stars

Watchers

Forks