Snort mailing list archives
Re: new sig for detecting Apache / PHP RCE
From: Joel Esler <joel.esler () me com>
Date: Wed, 30 Oct 2013 17:27:27 -0400
rmkml, This is CVE: 2012-1823, covered by sids: 22063, 22064, and 22097. Are you not seeing these rules fire? -- Joel Esler AEGIS Intelligence Lead OpenSource Community Manager Vulnerability Research Team, Sourcefire On Oct 30, 2013, at 5:30 PM, rmkml <rmkml () yahoo fr> wrote:
Hi, Created a new Community rule for detecting this exploit: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Apache / PHP 5.x Remote Code Execution Kingcope attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/cgi-bin/php"; nocase; http_uri; content:"-d"; nocase; http_uri; distance:0; content:!"|0A|Referer|3a|"; nocase; http_header; pcre:"/^\/cgi\-bin\/php(?:|[45]|[\-\.]cgi)\?/Ui"; pcre:"/\b(?:proc_open\s*\(|pcntl_fork\s*\(|chdir\s*\(|umask\s*\()/Psi"; reference:url,www.exploit-db.com/exploits/29290; classtype:attempted-admin; sid:95417; rev:1; ) Please follow my new project http://etplc.org Regards @Rmkml PS: Thx @Kingcope ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- new sig for detecting Apache / PHP RCE rmkml (Oct 30)
- Re: new sig for detecting Apache / PHP RCE Joel Esler (Oct 30)
- Re: new sig for detecting Apache / PHP RCE rmkml (Oct 30)
- Re: new sig for detecting Apache / PHP RCE Joel Esler (Oct 30)