Snort mailing list archives
Re: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735
From: Phillip Lee <phillile () sourcefire com>
Date: Tue, 1 May 2018 10:51:40 -0400
Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Can you send along the pcaps that you have? Regards, Phil Lee Cisco Talos
On May 1, 2018, at 9:24 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, The below rules are for detecting exploit attempts against the listed CVEs. Pcap is available for this one. # Date: 2018-05-01 # Title: CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts # Reference: http://blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>, https://www.exploit-db.com/exploits/44560/ <https://www.exploit-db.com/exploits/44560/> # CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 # Tests: pcap alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated SQL injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; http_client_body; content:"union"; nocase; http_client_body; content:"select"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-8734; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ <http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000033; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated authentication bypass attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtRootPath="; http_client_body; content:"&txtDBserver="; http_client_body; content:"&txtDBname="; http_client_body; content:"&txtDBuser="; http_client_body; reference:cve,2018-8733; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ <http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000034; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI authenticated command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosxi/backend/index.php?"; fast_pattern:only; http_uri; content:"command_data="; http_uri; content:"&cmd=submitcommand"; http_uri; content:"&command="; http_uri; content:"nagiosxi="; http_cookie; reference:cve,2018-8735; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html <http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ <http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000035; rev:1;) Thanks. YM _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Y M via Snort-sigs (May 01)
- Re: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Phillip Lee (May 01)