Re: [Emerging-Sigs] New rule offered for detecting Zimbra conf/localconfig.xml attempt

[Will Metcalf <william.metcalf () gmail com>]

Might be useful for proxied environments? Will get this into QA thanks.

Regards,

Will


On Wed, Jan 15, 2014 at 3:01 PM, rmkml <rmkml () yahoo fr> wrote:

> Hi,
>
> I'm offer a new rule for detecting Zimbra conf/localconfig.xml attempt.
>
> Warn: Zimbra run over HTTPS (no pb with etplc).
>
> alert tcp any any -> any $HTTPS_PORTS (msg:"WEB-MISC Zimbra
> conf/localconfig.xml attempt"; flow:to_server,established;
> content:"conf/localconfig.xml"; nocase; http_uri;
> reference:cve,2013-7091; reference:bugtraq,64149; reference:osvdb,100747;
> reference:exploitdb,30472; reference:cxsecurity,WLB-2013120097;
> classtype:web-application-attack; sid:1; rev:1; )
>
> Please check all variables before use.
>
> Discovered during my new project http://etplc.org
>
> All comments are welcome.
>
> Regards
> @Rmkml
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!