Guest User

Struts CVE-2018-11776 SNORT Rules

a guest
Aug 23rd, 2018
1,108
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts ognl”; flow:established, to_server; content:”ognl|2e|”; rawbytes; nocase; pcre: "/^(OgnlContext|ClassResolver|TypeConverter|MemberAccess)[A-Za-z\.]+/iR"; sid:x; rev:x;)
  2.  
  3. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts opensymphony”; flow:established, to_server; content:”com|2e|opensymphony|2e|xwork2|2e|”; rawbytes; nocase; pcre: "/^((ognl\.SecurityMemberAccess)|(ActionContext|UnixProcess))[A-Za-z\.]+/iR"; sid:x; rev:x;)
  4.  
  5. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts freemarker”; flow:established, to_server; content:”freemarker|2e|”; rawbytes; nocase; pcre: /^(core|template|ext\.(rhino|beans))\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
  6.  
  7. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts sun”; flow:established, to_server; content:”sun|2e|”; rawbytes; nocase; pcre: "/^(misc|reflect)\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
  8.  
  9. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts javassist”; flow:established, to_server; content:”javassist|2e|”; rawbytes; nocase; pcre: "/^[A-Za-z\.]+/iR"; sid:x; rev:x;)
  10.  
  11. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts java.lang”; flow:established, to_server; content:”java|2e|lang|2e|”; rawbytes; nocase; pcre: "/^(Object|Runtime|System|Class|ClassLoader|Shutdown|ProcessBuilder)[A-Za-z\.]+/iR"; sid:x; rev:x;)
  12.  
  13. alert tcp any any -> $HOME_NET any (msg:"CVE-2018-11776 OGNL execution in URI via S2-045 and S2-053k detection"; flow:established, to_server; content:"|25|7b|28|"; rawbytes; fast_pattern:only; sid:x; rev:x;)
  14.  
  15. -------Talos SNORT Sigs--------
  16. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; http_uri; content:"${"; content:"}",distance 0; pcre:"/\x24\{[^\x2f{}]+?\}/i"; metadata:policy max-detect-ips drop; service:http; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:29639; rev:3; )
  17.  
  18. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"@java.lang.",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; classtype:attempted-admin; sid:39190; rev:3; )
  19.  
  20. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"new ",nocase; pcre:"/new\s+(java|org|sun)/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2017-12611; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:39191; rev:3; )
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×