Snort mailing list archives

Re: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735

From: Phillip Lee <phillile () sourcefire com>
Date: Tue, 1 May 2018 10:51:40 -0400

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished. 

Can you send along the pcaps that you have? 

Regards,
Phil Lee
Cisco Talos

On May 1, 2018, at 9:24 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:

Hi,

The below rules are for detecting exploit attempts against the listed CVEs. Pcap is available for this one.

# Date: 2018-05-01
# Title: CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts
# Reference: http://blog.redactedsec.net/exploits/2018/04/26/nagios.html 
<http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>, https://www.exploit-db.com/exploits/44560/ 
<https://www.exploit-db.com/exploits/44560/>
# CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735
# Tests: pcap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated SQL injection 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/helpedit.php"; 
fast_pattern:only; http_uri; content:"selInfoKey1="; http_client_body; content:"union"; nocase; http_client_body; 
content:"select"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-8734; 
reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html 
<http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ 
<http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000033; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated authentication 
bypass attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/settings.php"; 
fast_pattern:only; http_uri; content:"txtRootPath="; http_client_body; content:"&txtDBserver="; http_client_body; 
content:"&txtDBname="; http_client_body; content:"&txtDBuser="; http_client_body; reference:cve,2018-8733; 
reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html 
<http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ 
<http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000034; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI authenticated command injection 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosxi/backend/index.php?"; 
fast_pattern:only; http_uri; content:"command_data="; http_uri; content:"&cmd=submitcommand"; http_uri; 
content:"&command="; http_uri; content:"nagiosxi="; http_cookie; reference:cve,2018-8735; 
reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html 
<http://blog.redactedsec.net/exploits/2018/04/26/nagios.html>; reference:url,www.exploit-db.com/exploits/44560/ 
<http://www.exploit-db.com/exploits/44560/>; classtype:attempted-admin; sid:8000035; rev:1;)

Thanks.
YM
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Y M via Snort-sigs (May 01)
- Re: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Phillip Lee (May 01)