Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2017-9097 signature

From: Tyler Montier <tmontier () sourcefire com>
Date: Mon, 8 Jan 2018 10:54:20 -0500
Yaser,

Thanks for your submission. we will review the rules and get back to you
when they're finished.

Do you have PCAPS available for this CVE?

Thanks,

Tyler Montier,
Cisco Talos

On Thu, Jan 4, 2018 at 1:12 PM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,


The below signature attempts at detecting directory traversal on the
affected system. Subsequent attacks use the retrieved credentials to
perform rce.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Anti-Web industrial OT directory traversal attempt";
flow:to_server,established; content:"POST"; http_method;
content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri;
content:"page=/"; http_client_body; content:"&template=../"; distance:0;
http_client_body; metadata:ruleset community, service http;
reference:cve,2017-9097; reference:url,github.com/
ezelf/AntiWeb_testing-Suite/blob/master/LFI/anti-web-v1.py;
classtype:attempted-user; sid:9000010; rev:1;)


Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: