Snort mailing list archives

Re: Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig

From: Matt Mickel <mmickel () sourcefire com>
Date: Wed, 13 May 2015 08:01:08 -0400

Hi, James-

This rule has been reviewed and added to the community ruleset (SID: 
34365).  Thanks for your contribution.  Best,

Matt Mickel

On 04/24/2015 02:16 PM, James Lay wrote:

Pretty simple:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Vulnerable Magento Adminhtml Access"; flow:established,to_server;
uricontent:"Adminhtml"; nocase; uricontent:!"|2f|admin|2f|"; nocase;
reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability;
classtype:bad-unknown; sid:10000158; rev:1;)

Can't imagine running something like this over http...I suspect this
will fire on scanners trying to exploit this, which might be helpful to
someone.  Standard disclaimer of "this rule may suck please fix it"
applies.

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig James Lay (Apr 24)
- Re: Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig Matt Mickel (May 14)