Create ruby-on-rails-framework-exceptions.yaml

file/logs/ruby-on-rails-framework-exceptions.yaml

@@ -0,0 +1,28 @@
+id: ruby-on-rails-framework-exceptions
+
+info:
+  name: Ruby on Rails Framework Exceptions
+  description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
+  author: geeknik
+  reference:
+    - http://edgeguides.rubyonrails.org/security.html
+    - http://guides.rubyonrails.org/action_controller_overview.html
+    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
+    - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
+  severity: medium
+  tags: file,logs,ruby,rails
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: exception
+        part: body
+        regex:
+          - 'ActionController\:\:InvalidAuthenticityToken'
+          - 'ActionController::InvalidCrossOriginRequest'
+          - 'ActionController::MethodNotAllowed'
+          - 'ActionController::BadRequest'
+          - 'ActionController::ParameterMissing'