top of page

Error: type mismatch in "" of type number = "200"

Recently started exploring and evaluating cloud provided SIEM services. Chronicles by Google is one such platform that provides autonomous security event management solution which is easy to handle and operate.

The challenge occurs when we start writing rules for threat detections or fetch sample rules from from GitHub.

One of the rules named as 'a_webshell_ensiko_with_ransomware_capabilities' under the path detection-rules/soc_prime_rules/threat_hunting/webserver triggered an error while including in the rules set in Chronicles.

Error details


As it clearly states that the input as an integer should not be input as a string, it must be changed to string by just removing the double quotes from the number. so this is your new rule instead:

rule a_webshell_ensiko_with_ransomware_capabilities { meta: author = "Osman Demir" description = "Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. License:" reference = "" version = "0.01" created = "2021-03-09" category = "webserver" mitre = "T1505, Persistence" events: (($ = "POST" and $ = 200 and (re.regex($, `.*/webshell/shell\.php`) or re.regex($, `.*/webshell/shell\.php\?ganteng`)) and ($ = "passwrd=RaBiitch&action=login&hide=&usrname=RaBiitch" or $ = "key=password&method=1&submit=Submit")) or $ = "5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5") condition: $selection }


It saves the rule and tests were conducted successfully.

21 views0 comments

Recent Posts

See All
Post: Blog2_Post
bottom of page