Query: header_based_local_file_inclusion

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)

from
  apache_access_log
where
  http_user_agent is not null
  and (
    -- Path traversal in User-Agent
    http_user_agent ilike '%../%'
    or http_user_agent ilike '%/../%'
    or http_user_agent ilike '%\\..\\%'
    or http_user_agent ilike '%\\.\\%'
    -- Encoded path traversal in User-Agent
    or http_user_agent ilike '%..%2f%'
    or http_user_agent ilike '%..%2F%'
    or http_user_agent ilike '%%2e%2e%2f%'
    or http_user_agent ilike '%%2E%2E%2F%'
    or http_user_agent ilike '%..%5c%'
    or http_user_agent ilike '%..%5C%'
    -- OS file access in User-Agent
    or http_user_agent ilike '%/etc/passwd%'
    or http_user_agent ilike '%/etc/shadow%'
    or http_user_agent ilike '%/etc/hosts%'
    or http_user_agent ilike '%/proc/self/%'
    or http_user_agent ilike '%win.ini%'
    or http_user_agent ilike '%system32%'
    or http_user_agent ilike '%boot.ini%'
  )
order by
  tp_timestamp desc;