Snort mailing list archives
Re: Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig
From: Matt Mickel <mmickel () sourcefire com>
Date: Wed, 13 May 2015 08:01:08 -0400
Hi, James- This rule has been reviewed and added to the community ruleset (SID: 34365). Thanks for your contribution. Best, Matt Mickel On 04/24/2015 02:16 PM, James Lay wrote:
Pretty simple: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vulnerable Magento Adminhtml Access"; flow:established,to_server; uricontent:"Adminhtml"; nocase; uricontent:!"|2f|admin|2f|"; nocase; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:bad-unknown; sid:10000158; rev:1;) Can't imagine running something like this over http...I suspect this will fire on scanners trying to exploit this, which might be helpful to someone. Standard disclaimer of "this rule may suck please fix it" applies. James ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig James Lay (Apr 24)
- Re: Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig Matt Mickel (May 14)