Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential Information Disclosure CVE-2023-43261 Exploitation - Web

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential Information Disclosure CVE-2023-43261 Exploitation - Web

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential Information Disclosure CVE-2023-43261 Exploitation - Web
id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
related:
    - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
      type: similar
status: test
description: |
    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
references:
    - https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
    - https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
    - https://github.com/win3zz/CVE-2023-43261
    - https://vulncheck.com/blog/real-world-cve-2023-43261
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-20
modified: 2023-10-30
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-43621
    - detection.emerging-threats
logsource:
    category: webserver
    definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.'
detection:
    selection:
        cs-method: 'GET'
        # Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack
        cs-uri-stem|contains: '/lang/log/httpd.log' # Als covered .old
        sc-status: 200
    condition: selection
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml