daily pastebin goal
43%
SHARE
TWEET

Struts CVE-2018-11776 SNORT Rules

a guest Aug 23rd, 2018 752 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts ognl”; flow:established, to_server; content:”ognl|2e|”; rawbytes; nocase; pcre: "/^(OgnlContext|ClassResolver|TypeConverter|MemberAccess)[A-Za-z\.]+/iR"; sid:x; rev:x;)
  2.  
  3. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts opensymphony”; flow:established, to_server; content:”com|2e|opensymphony|2e|xwork2|2e|”; rawbytes; nocase; pcre: "/^((ognl\.SecurityMemberAccess)|(ActionContext|UnixProcess))[A-Za-z\.]+/iR"; sid:x; rev:x;)
  4.  
  5. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts freemarker”; flow:established, to_server; content:”freemarker|2e|”; rawbytes; nocase; pcre: /^(core|template|ext\.(rhino|beans))\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
  6.  
  7. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts sun”; flow:established, to_server; content:”sun|2e|”; rawbytes; nocase; pcre: "/^(misc|reflect)\.[A-Za-z\.]+/iR"; sid:x; rev:x;)
  8.  
  9. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts javassist”; flow:established, to_server; content:”javassist|2e|”; rawbytes; nocase; pcre: "/^[A-Za-z\.]+/iR"; sid:x; rev:x;)
  10.  
  11. alert tcp any any -> $HOME_NET any (msg:”CVE-2018-11776 Struts java.lang”; flow:established, to_server; content:”java|2e|lang|2e|”; rawbytes; nocase; pcre: "/^(Object|Runtime|System|Class|ClassLoader|Shutdown|ProcessBuilder)[A-Za-z\.]+/iR"; sid:x; rev:x;)
  12.  
  13. alert tcp any any -> $HOME_NET any (msg:"CVE-2018-11776 OGNL execution in URI via S2-045 and S2-053k detection"; flow:established, to_server; content:"|25|7b|28|"; rawbytes; fast_pattern:only; sid:x; rev:x;)
  14.  
  15. -------Talos SNORT Sigs--------
  16. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; http_uri; content:"${"; content:"}",distance 0; pcre:"/\x24\{[^\x2f{}]+?\}/i"; metadata:policy max-detect-ips drop; service:http; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:29639; rev:3; )
  17.  
  18. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"@java.lang.",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; classtype:attempted-admin; sid:39190; rev:3; )
  19.  
  20. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; http_uri; content:"|23|_memberAccess",fast_pattern,nocase; content:"new ",nocase; pcre:"/new\s+(java|org|sun)/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:cve,2016-3087; reference:cve,2017-12611; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:39191; rev:3; )
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top