Re: CVE-2017-12754 sigs

[Tyler Montier <tmontier () sourcefire com>]

Yaser,

Thanks for your submission. We will review the rules and get back to you as
soon as they're finished.

Regards,

Tyler Montier
Cisco Talos

On Tue, Aug 15, 2017 at 11:18 AM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

> Yet another signature for CVE-2017-12754, derived from the reference.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> Asus RT-AC88U buffer overflow attempt"; flow:to_server,established;
> content:"/deleteOfflineClient.cgi?delete_offline_client=";
> fast_pattern:only; http_uri; content:"asus_token="; http_cookie;
> pcre:"/delete_offline_client\x3d([a-fA-F]{2}\x3a){7,}[0-9]{2}\x3a/Ui";
> metadata:ruleset community, service http; reference:cve,2017-12754;
> reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12754;
> reference:url,github.com/coincoin7/Wireless-Router-
> Vulnerability/blob/master/Asus_DeleteOfflineClientOverflow.txt;
> classtype:attempted-admin; sid:1100008; rev:1)
>
>
> Thanks.
>
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!