Snort mailing list archives

Fw: CVE-2017-6316 Signature

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 31 Jul 2017 12:29:04 +0000

Sent these to the old list address.



Hello.


Below signature is derived from the references available within the signature. May be split the signature into two, one 
for CloudBridge and the other for the SDN version? No pcap is available, sorry.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Citrix NetScaler CloudBridge/SD-WN session 
cookie privilege escalation attempt"; flow:to_server; content:"POST"; http_method; content:"/global_data/"; 
fast_pattern:only; http_uri; pcre:"/Cookie\x3a\x20(CGISESSID|CAKEPHP)\x3d[a-f0-9]{32}\x60/H"; reference:cve,2017-6316; 
reference:url,support.citrix.com/article/CTX225990; reference:url,vuldb.com/?id.104319; 
reference:url,www.exploit-db.com/exploits/42345/; metadata:ruleset community, service http; classtype:attempted-admin; 
sid:110001; rev:1;)


Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Fw: CVE-2017-6316 Signature Y M via Snort-sigs (Jul 31)
- Re: Fw: CVE-2017-6316 Signature Tyler Montier (Jul 31)