Snort mailing list archives
Fw: CVE-2017-6316 Signature
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 31 Jul 2017 12:29:04 +0000
Sent these to the old list address. Hello. Below signature is derived from the references available within the signature. May be split the signature into two, one for CloudBridge and the other for the SDN version? No pcap is available, sorry. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Citrix NetScaler CloudBridge/SD-WN session cookie privilege escalation attempt"; flow:to_server; content:"POST"; http_method; content:"/global_data/"; fast_pattern:only; http_uri; pcre:"/Cookie\x3a\x20(CGISESSID|CAKEPHP)\x3d[a-f0-9]{32}\x60/H"; reference:cve,2017-6316; reference:url,support.citrix.com/article/CTX225990; reference:url,vuldb.com/?id.104319; reference:url,www.exploit-db.com/exploits/42345/; metadata:ruleset community, service http; classtype:attempted-admin; sid:110001; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Fw: CVE-2017-6316 Signature Y M via Snort-sigs (Jul 31)
- Re: Fw: CVE-2017-6316 Signature Tyler Montier (Jul 31)