Re: New sig for detecting Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host RCE

[Tyler Montier <tmontier () sourcefire com>]

Rmkml,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Thanks,

Tyler Montier
Cisco Talos

On Sat, Aug 12, 2017 at 4:37 PM, rmkml <rmkml () ligfy org> wrote:

> Hi,
>
> Please check a new sig for detecting Ubiquiti Networks UniFi Cloud Key
> Firm v0.6.1 Host Remote Command Execution attempt:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC
> Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution
> attempt"; flow:to_server,established; content:"GET"; nocase; http_method;
> content:"Host|3a|"; nocase; http_header; content:"|3b|"; http_header;
> within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/Hmi";
> reference:url,cxsecurity.com/issue/WLB-2017080038;
> classtype:web-application-attack; sid:1; rev:1;)
>
> Don't forget check variables.
>
> Please send any comments.
>
> Regards
> @Rmkml
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!