G2A Many GEOs
SHARE
TWEET

Struts CVE-2018-11776 SNORT Rules

a guest Aug 23rd, 2018 898 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts ognl”; flow:established, to_server; content:”ognl|2e|”; rawbytes; nocase; pcre: "/^(OgnlContext|ClassResolver|TypeConverter|MemberAccess)[A-Za-z\.]+/iR"; sid:x; rev:x;)
  2.  
  3. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts opensymphony”; flow:established, to_server; content:”com|2e|opensymphony|2e|xwork2|2e|”; rawbytes; nocase; pcre: "/^((ognl\.SecurityMemberAccess)|(ActionContext|UnixProcess))[A-Za-z\.]+/iR"; sid:x; rev:x;)
  4.  
  5. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts freemarker”; flow:established, to_server; content:”freemarker|2e|”; rawbytes; nocase; pcre: /^(core|template|ext\.(rhino|beans))\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
  6.  
  7. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts sun”; flow:established, to_server; content:”sun|2e|”; rawbytes; nocase; pcre: "/^(misc|reflect)\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
  8.  
  9. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts javassist”; flow:established, to_server; content:”javassist|2e|”; rawbytes; nocase; pcre: "/^[A-Za-z\.]+/iR"; sid:x; rev:x;)
  10.  
  11. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts java.lang”; flow:established, to_server; content:”java|2e|lang|2e|”; rawbytes; nocase; pcre: "/^(Object|Runtime|System|Class|ClassLoader|Shutdown|ProcessBuilder)[A-Za-z\.]+/iR"; sid:x; rev:x;)
  12.  
  13. alert tcp any any -> $HOME_NET any (msg:"CVE-2018-11776 OGNL execution in URI via S2-045 and S2-053k detection"; flow:established, to_server; content:"|25|7b|28|"; rawbytes; fast_pattern:only; sid:x; rev:x;)
  14.  
  15. -------Talos SNORT Sigs--------
  16. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; http_uri; content:"${"; content:"}",distance 0; pcre:"/\x24\{[^\x2f{}]+?\}/i"; metadata:policy max-detect-ips drop; service:http; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:29639; rev:3; )
  17.  
  18. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"@java.lang.",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; classtype:attempted-admin; sid:39190; rev:3; )
  19.  
  20. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"new ",nocase; pcre:"/new\s+(java|org|sun)/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2017-12611; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:39191; rev:3; )
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top