Snort mailing list archives

Previous By Date Next
Previous By Thread Next

JBoss AS Exploit Sig

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 19 Nov 2013 08:50:06 -0700
Didn't see this in the current sets, so thought I'd make one:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP JBoss AS Exploit command"; 
flow:established,to_server; file_data; content:"pwn.jsp|3f|cmd="; 
http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; 
classtype:trojan-activity; sid:10000113; rev:1;)

James

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: