Snort mailing list archives

Previous By Date Next
Previous By Thread Next

New sig for detecting Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host RCE

From: rmkml <rmkml () ligfy org>
Date: Sat, 12 Aug 2017 22:37:45 +0200 (CEST)
Hi,

Please check a new sig for detecting Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution 
attempt:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Host|3a|"; nocase; http_header; content:"|3b|"; http_header; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/Hmi"; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:1; rev:1;) 

Don't forget check variables.

Please send any comments.

Regards
@Rmkml
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: