Snort mailing list archives

CVE-2018-8733, CVE-2018-8734, CVE-2018-8735

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 1 May 2018 13:24:16 +0000

Hi,

The below rules are for detecting exploit attempts against the listed CVEs. Pcap is available for this one.

# Date: 2018-05-01
# Title: CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts
# Reference: http://blog.redactedsec.net/exploits/2018/04/26/nagios.html, https://www.exploit-db.com/exploits/44560/
# CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735
# Tests: pcap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated SQL injection 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/helpedit.php"; 
fast_pattern:only; http_uri; content:"selInfoKey1="; http_client_body; content:"union"; nocase; http_client_body; 
content:"select"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-8734; 
reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; 
classtype:attempted-admin; sid:8000033; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated authentication bypass 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/settings.php"; 
fast_pattern:only; http_uri; content:"txtRootPath="; http_client_body; content:"&txtDBserver="; http_client_body; 
content:"&txtDBname="; http_client_body; content:"&txtDBuser="; http_client_body; reference:cve,2018-8733; 
reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; 
classtype:attempted-admin; sid:8000034; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI authenticated command injection 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosxi/backend/index.php?"; 
fast_pattern:only; http_uri; content:"command_data="; http_uri; content:"&cmd=submitcommand"; http_uri; 
content:"&command="; http_uri; content:"nagiosxi="; http_cookie; reference:cve,2018-8735; 
reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; 
classtype:attempted-admin; sid:8000035; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Y M via Snort-sigs (May 01)
- Re: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Phillip Lee (May 01)