Potential HTTP Downgrade Attack

Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions.

Rule type: new_terms
Rule indices:

• logs-nginx.access-*
• logs-apache.access-*
• logs-apache_tomcat.access-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

• Domain: Web
• Use Case: Threat Detection
• Tactic: Defense Evasion
• Data Source: Nginx
• Data Source: Apache
• Data Source: Apache Tomcat

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

http.version:*
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Defense Evasion
  • Id: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Impair Defenses
  • Id: T1562
  • Reference URL: https://attack.mitre.org/techniques/T1562/

• Sub Technique:

  • Name: Downgrade Attack
  • Id: T1562.010
  • Reference URL: https://attack.mitre.org/techniques/T1562/010/