Snort mailing list archives
Re: New sig for detecting BlueCoat CAS v1.3.7.1 Report Email Command Injection
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 16 Apr 2017 22:13:08 +0000
Thanks. I've sent this over to the analyst team. -- Sent from my iPhone
On Apr 16, 2017, at 17:10, rmkml <rmkml () ligfy org> wrote: Hi, Please check a new sig for detecting BlueCoat CAS v1.3.7.1 Report Email Command Injection: alert tcp $EXTERNAL_NET any -> $HOME_NET 8082 (msg:"WEB-MISC BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/report-email/send"; nocase; http_uri; content:"/dev-report-overview.html"; nocase; http_client_body; content:"|3B|"; http_client_body; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/Pi"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:1; rev:1;) Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- New sig for detecting BlueCoat CAS v1.3.7.1 Report Email Command Injection rmkml (Apr 16)
- Re: New sig for detecting BlueCoat CAS v1.3.7.1 Report Email Command Injection Joel Esler (jesler) (Apr 16)