Snort mailing list archives

Re: CVE-2017-17974 signatures

From: Tyler Montier <tmontier () sourcefire com>
Date: Mon, 8 Jan 2018 10:53:16 -0500

Yaser,

Thanks for your submission. we will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier,
Cisco Talos

On Thu, Jan 4, 2018 at 1:09 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:

Hi,


The below signatures are for detecting attempted disclosure of credentials
of the affected system. Opted for individual signatures as opposed to
using pcre. No pcaps available for this one.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
BA Systems BAS Web information disclosure attempt";
flow:to_server,established; content:"GET"; http_method; content:"/isc/";
fast_pattern:only; http_uri; content:"get_sid.aspx"; distance:0; http_uri;
metadata:ruleset community, service http; reference:cve,2017-17974;
reference:url,vuldb.com/?id.111184; reference:url,misteralfa-hack.
blogspot.com/2017/12/ba-system-improper-access-control.html;
classtype:attempted-user; sid:9000005; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
BA Systems BAS Web information disclosure attempt";
flow:to_server,established; content:"GET"; http_method; content:"/isc/";
fast_pattern:only; http_uri; content:"get_sid_js.aspx"; distance:0;
http_uri; metadata:ruleset community, service http;
reference:cve,2017-17974; reference:url,vuldb.com/?id.111184;
reference:url,misteralfa-hack.blogspot.com/2017/12/ba-
system-improper-access-control.html; classtype:attempted-user;
sid:9000006; rev:1;)

Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

CVE-2017-17974 signatures Y M via Snort-sigs (Jan 04)
- Re: CVE-2017-17974 signatures Tyler Montier (Jan 08)