New Community sig for detecting Oracle WebCenter header injection

[rmkml <rmkml () yahoo fr>]

Hi,

Please find offer a new sig for community for detecting Oracle WebCenter header injection:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
  msg:"WEB-MISC Oracle WebCenter (FatWire) header injection on blobheadername2 and blobheadervalue2 attempt";
  flow:to_server,established; content:"blobheadername2="; nocase; http_uri; content:"blobheadervalue2=";
  nocase; http_uri; pcre:"/[\?\&]blobheadervalue2\=[^\&]*?[\x00-\x25\x27-\x2f\x3a-\x40\x5b-\x60\x7b-\xff]/Ui";
  reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; 
classtype:web-application-attack; sid:1; rev:1;)

Don't remember adjust snort variables.

Please post any comments?

Happy Detect
Rmkml

http://twitter.com/rmkml

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!