Snort mailing list archives
CVE-2018-8733, CVE-2018-8734, CVE-2018-8735
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 1 May 2018 13:24:16 +0000
Hi, The below rules are for detecting exploit attempts against the listed CVEs. Pcap is available for this one. # Date: 2018-05-01 # Title: CVE-2018-873X - NagiosXI Vulnerability Chaining; Death By a Thousand Cuts # Reference: http://blog.redactedsec.net/exploits/2018/04/26/nagios.html, https://www.exploit-db.com/exploits/44560/ # CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 # Tests: pcap alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated SQL injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; http_client_body; content:"union"; nocase; http_client_body; content:"select"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-8734; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; classtype:attempted-admin; sid:8000033; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI unauthenticated authentication bypass attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtRootPath="; http_client_body; content:"&txtDBserver="; http_client_body; content:"&txtDBname="; http_client_body; content:"&txtDBuser="; http_client_body; reference:cve,2018-8733; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; classtype:attempted-admin; sid:8000034; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI authenticated command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nagiosxi/backend/index.php?"; fast_pattern:only; http_uri; content:"command_data="; http_uri; content:"&cmd=submitcommand"; http_uri; content:"&command="; http_uri; content:"nagiosxi="; http_cookie; reference:cve,2018-8735; reference:url,blog.redactedsec.net/exploits/2018/04/26/nagios.html; reference:url,www.exploit-db.com/exploits/44560/; classtype:attempted-admin; sid:8000035; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Y M via Snort-sigs (May 01)
- Re: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735 Phillip Lee (May 01)