Error: type mismatch in "selection.udm.network.http.response_code" of type number = "200"
Recently started exploring and evaluating cloud provided SIEM services. Chronicles by Google is one such platform that provides autonomous security event management solution which is easy to handle and operate.
The challenge occurs when we start writing rules for threat detections or fetch sample rules from from GitHub.
https://github.com/chronicle/detection-rules
One of the rules named as 'a_webshell_ensiko_with_ransomware_capabilities' under the path detection-rules/soc_prime_rules/threat_hunting/webserver triggered an error while including in the rules set in Chronicles.
Error details
Solution
As it clearly states that the input as an integer should not be input as a string, it must be changed to string by just removing the double quotes from the number. so this is your new rule instead:
rule a_webshell_ensiko_with_ransomware_capabilities { meta: author = "Osman Demir" description = "Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md." reference = "https://tdm.socprime.com/tdm/info/COgjQByoceJW" version = "0.01" created = "2021-03-09" category = "webserver" mitre = "T1505, Persistence" events: (($selection.network.http.method = "POST" and $selection.network.http.response_code = 200 and (re.regex($selection.target.url, `.*/webshell/shell\.php`) or re.regex($selection.target.url, `.*/webshell/shell\.php\?ganteng`)) and ($selection.target.url = "passwrd=RaBiitch&action=login&hide=&usrname=RaBiitch" or $selection.target.url = "key=password&method=1&submit=Submit")) or $selection.target.file.md5 = "5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5") condition: $selection }
Result
It saves the rule and tests were conducted successfully.
