From c527bdb8b891edf55bb347c2155c0214a681b76e Mon Sep 17 00:00:00 2001
From: Geeknik Labs <466878+geeknik@users.noreply.github.com>
Date: Mon, 1 Nov 2021 13:20:30 -0500
Subject: [PATCH] Create ruby-on-rails-framework-exceptions.yaml

---
 .../ruby-on-rails-framework-exceptions.yaml   | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 file/logs/ruby-on-rails-framework-exceptions.yaml

diff --git a/file/logs/ruby-on-rails-framework-exceptions.yaml b/file/logs/ruby-on-rails-framework-exceptions.yaml
new file mode 100644
index 0000000000..79f72f58c0
--- /dev/null
+++ b/file/logs/ruby-on-rails-framework-exceptions.yaml
@@ -0,0 +1,28 @@
+id: ruby-on-rails-framework-exceptions
+
+info:
+  name: Ruby on Rails Framework Exceptions
+  description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
+  author: geeknik
+  reference:
+    - http://edgeguides.rubyonrails.org/security.html
+    - http://guides.rubyonrails.org/action_controller_overview.html
+    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
+    - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
+  severity: medium
+  tags: file,logs,ruby,rails
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: exception
+        part: body
+        regex:
+          - 'ActionController\:\:InvalidAuthenticityToken'
+          - 'ActionController::InvalidCrossOriginRequest'
+          - 'ActionController::MethodNotAllowed'
+          - 'ActionController::BadRequest'
+          - 'ActionController::ParameterMissing'