Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts ognl”; flow:established, to_server; content:”ognl|2e|”; rawbytes; nocase; pcre: "/^(OgnlContext|ClassResolver|TypeConverter|MemberAccess)[A-Za-z\.]+/iR"; sid:x; rev:x;)
- alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts opensymphony”; flow:established, to_server; content:”com|2e|opensymphony|2e|xwork2|2e|”; rawbytes; nocase; pcre: "/^((ognl\.SecurityMemberAccess)|(ActionContext|UnixProcess))[A-Za-z\.]+/iR"; sid:x; rev:x;)
- alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts freemarker”; flow:established, to_server; content:”freemarker|2e|”; rawbytes; nocase; pcre: /^(core|template|ext\.(rhino|beans))\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
- alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts sun”; flow:established, to_server; content:”sun|2e|”; rawbytes; nocase; pcre: "/^(misc|reflect)\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
- alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts javassist”; flow:established, to_server; content:”javassist|2e|”; rawbytes; nocase; pcre: "/^[A-Za-z\.]+/iR"; sid:x; rev:x;)
- alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts java.lang”; flow:established, to_server; content:”java|2e|lang|2e|”; rawbytes; nocase; pcre: "/^(Object|Runtime|System|Class|ClassLoader|Shutdown|ProcessBuilder)[A-Za-z\.]+/iR"; sid:x; rev:x;)
- alert tcp any any -> $HOME_NET any (msg:"CVE-2018-11776 OGNL execution in URI via S2-045 and S2-053k detection"; flow:established, to_server; content:"|25|7b|28|"; rawbytes; fast_pattern:only; sid:x; rev:x;)
- -------Talos SNORT Sigs--------
- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; http_uri; content:"${"; content:"}",distance 0; pcre:"/\x24\{[^\x2f{}]+?\}/i"; metadata:policy max-detect-ips drop; service:http; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:29639; rev:3; )
- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"@java.lang.",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; classtype:attempted-admin; sid:39190; rev:3; )
- alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"new ",nocase; pcre:"/new\s+(java|org|sun)/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2017-12611; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:39191; rev:3; )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
