Snort mailing list archives
JBoss AS Exploit Sig
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 19 Nov 2013 08:50:06 -0700
Didn't see this in the current sets, so thought I'd make one: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss AS Exploit command"; flow:established,to_server; file_data; content:"pwn.jsp|3f|cmd="; http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:trojan-activity; sid:10000113; rev:1;) James ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- JBoss AS Exploit Sig James Lay (Nov 19)