Logpresso re-validates WAPPLES detection-mode alerts triggered by error status codes (such as 404) and accurately surfaces vulnerability scanning attempts.

Query

This query targets WAPPLES alert logs where the device’s response action is DETECT and the HTTP request payload exists. It applies the ml-scan-http-request command, and if the result is determined to be an actual attack, it detects vulnerability or information-gathering attempts such as port scanning, vulnerability scanning, hidden file access, backup file download, and configuration file download.

| search _schema == "attack" and action == "DETECT" and signature != "Invalid HTTP" and isnotnull(http_req_headers) 
| rename http_req_headers as raw_data
| ml-scan-http-request  
| search verdict == "attack" and match(tags, "(?:#scanner|#scanning|#hidden_file_access|#backup_file|#config_file)(?=\\s|$)")
| lookup geoip src_ip output country as src_country, asn as src_asn

Message

• WAPPLES Web Scanning Detected: $src_ip ($src_asn) -> $vhost ($tags)

Output Field Order

• _log_time, risk, src_ip, vhost, tags, decoded_strings, highlights, signature, action, reason, raw_data

Threat Analysis

• Attackers send abnormal HTTP requests through automated scanning tools or manual probes in order to identify vulnerabilities in web applications. Such activity often produces patterns such as non-existent page requests (404 responses), hidden file access attempts, or attempts to download backup/configuration files, which are clearly distinguishable from normal user behavior.
• These scanning behaviors are part of reconnaissance (information-gathering) activities that precede actual attacks. They are used to map directory structures, locate sensitive files, and identify vulnerable services. Later, this information may be leveraged for serious compromises such as remote code execution, privilege escalation, or data exfiltration.
• Therefore, this detection indicates that an attacker is identifying and analyzing the system in a pre-intrusion stage. If not promptly blocked, the organization’s services and data are at risk of exposure to actual attacks.

False Positive Types

• The ml-scan-http-request command classifies true/false positives using a machine learning model. There is a possibility that legitimate HTTP requests are mistakenly classified as attacks. For clearly identifiable false-positive patterns, add exception conditions to the detection rule so that identical alerts are not repeatedly generated.

Response Plan

• This detection scenario automatically validates HTTP request payloads and raises alerts only when the request is confirmed to involve vulnerability probing or sensitive information gathering. Security personnel should review the attack details and block the attacker’s IP address. Failure to block attacker IPs at the reconnaissance stage may allow subsequent valid exploit attempts to succeed.

MITRE ATT&CK

• Tactic
  • Reconnaissance
• Technique
  • Name: Active Scanning: Vulnerability Scanning
  • ID: T1595.002
  • Reference URL: https://attack.mitre.org/techniques/T1595/002/

References

• https://logpresso.store/en/apps/ml-rules/commands/ml-scan-http-request