Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig

[James Lay <jlay () slave-tothe-box net>]

Pretty simple:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 
Vulnerable Magento Adminhtml Access"; flow:established,to_server; 
uricontent:"Adminhtml"; nocase; uricontent:!"|2f|admin|2f|"; nocase; 
reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; 
classtype:bad-unknown; sid:10000158; rev:1;)

Can't imagine running something like this over http...I suspect this 
will fire on scanners trying to exploit this, which might be helpful to 
someone.  Standard disclaimer of "this rule may suck please fix it" 
applies.

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!