Struts CVE-2018-11776 SNORT Rules

1. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts ognl”; flow:established, to_server; content:”ognl|2e|”; rawbytes; nocase; pcre: "/(?:^(OgnlContext|ClassResolver|TypeConverter|MemberAccess)[A-Za-z\.]+)/iR"; sid:x; rev:x;)
2.  
3. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts opensymphony”; flow:established, to_server; content:”com|2e|opensymphony|2e|xwork2|2e|”; rawbytes; nocase; pcre: "/(?:^((ognl\.SecurityMemberAccess)|(ActionContext|UnixProcess))[A-Za-z\.]+)/iR"; sid:x; rev:x;)
4.  
5. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts freemarker”; flow:established, to_server; content:”freemarker|2e|”; rawbytes; nocase; pcre: /(?:^(core|template|ext\.(rhino|beans))\.[A-Za-z\.]+)/iR"; sid:x; rev:x;)
6.  
7. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts sun”; flow:established, to_server; content:”sun|2e|”; rawbytes; nocase; pcre: "/(?:^(misc|reflect)\.[A-Za-z\.]+)/iR"; sid:x; rev:x;)
8.  
9. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts javassist”; flow:established, to_server; content:”javassist|2e|”; rawbytes; nocase; pcre: "/(?:^[A-Za-z\.]+)/iR"; sid:x; rev:x;)
10.  
11. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts java.lang”; flow:established, to_server; content:”java|2e|lang|2e|”; rawbytes; nocase; pcre: "/(?:^(Object|Runtime|System|Class|ClassLoader|Shutdown|ProcessBuilder)[A-Za-z\.]+)/iR"; sid:x; rev:x;)
12.  
13. alert tcp any any -> $HOME_NET any (msg:"CVE-2018-11776 OGNL execution in URI via S2-045 and S2-053k detection"; flow:established, to_server; content:"|25|7b|28|"; rawbytes; fast_pattern:only; sid:x; rev:x;)