From eae7e3ab1051863d1d97de505a3fe28a749594dc Mon Sep 17 00:00:00 2001
From: James Ahearn <jmsahearn@gmail.com>
Date: Sat, 8 Jun 2019 22:40:28 -0400
Subject: [PATCH] Web Source Code Enumeration via .git

---
 rules/web/web_source_code_enumeration.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 rules/web/web_source_code_enumeration.yml

diff --git a/rules/web/web_source_code_enumeration.yml b/rules/web/web_source_code_enumeration.yml
new file mode 100644
index 00000000000..f5a4f6a2c75
--- /dev/null
+++ b/rules/web/web_source_code_enumeration.yml
@@ -0,0 +1,20 @@
+title: Source Code Enumeration Detection by Keyword
+description: Detects source code enumeration that use GET requests by keyword searches in URL strings
+author: James Ahearn
+references: 
+    - 'https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html'
+    - 'https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1'
+logsource:
+    category: webserver
+detection:
+    keywords:
+        - '*.git/*'
+    condition: keywords
+fields:
+    - client_ip
+    - vhost
+    - url
+    - response
+falsepositives:
+    - unknown
+level: medium
\ No newline at end of file