Re: New Community sig for detecting Oracle WebCenter header injection

[Joel Esler <jesler () sourcefire com>]

Wow, that was bad.

We actually have rules written for this in testing already, so we'll move these from our VRT set into the community set.

Joel

On Apr 18, 2013, at 12:39 PM, Joel Esler <jesler () sourcefire com> wrote:

> Rmkml,
>
> We actually have rules for this written this already in testing already, so what we do is we'll do is move them from 
> our VRT set into the community set.
>
> Joel
>
> On Apr 18, 2013, at 11:26 AM, Joel Esler <jesler () sourcefire com> wrote:
>
> > Thanks!  We'll take a look!
> >
> > On Apr 17, 2013, at 4:15 PM, rmkml <rmkml () yahoo fr> wrote:
> >
> > > Hi,
> > >
> > > Please find offer a new sig for community for detecting Oracle WebCenter header injection:
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
> > > msg:"WEB-MISC Oracle WebCenter (FatWire) header injection on blobheadername2 and blobheadervalue2 attempt";
> > > flow:to_server,established; content:"blobheadername2="; nocase; http_uri; content:"blobheadervalue2=";
> > > nocase; http_uri; pcre:"/[\?\&]blobheadervalue2\=[^\&]*?[\x00-\x25\x27-\x2f\x3a-\x40\x5b-\x60\x7b-\xff]/Ui";
> > > reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; 
> > > classtype:web-application-attack; sid:1; rev:1;)
> > >
> > > Don't remember adjust snort variables.
> > >
> > > Please post any comments?
> > >
> > > Happy Detect
> > > Rmkml
> > >
> > > http://twitter.com/rmkml
> > >
> > > ------------------------------------------------------------------------------
> > > Precog is a next-generation analytics platform capable of advanced
> > > analytics on semi-structured data. The platform includes APIs for building
> > > apps and a phenomenal toolset for data science. Developers can use
> > > our toolset for easy data analysis & visualization. Get a free account!
> > > http://www2.precog.com/precogplatform/slashdotnewsletter
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > http://www.snort.org
> > >
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!