- title: Pulse Secure Attack CVE-2019-11510
id: 2dbc10d7-a797-49a8-8776-49efa6442e60
description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
references:
- https://www.exploit-db.com/exploits/47297
author: Florian Roth
logsource:
category: webserver
product: null
service: null
detection:
selection:
c-uri-path: '*?/dana/html5acc/guacamole/*'
condition: selection
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- Unknown
level: critical
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='c-uri-path.keyword:*?\/dana\/html5acc\/guacamole\/*')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()