Snort mailing list archives
Re: Understanding SNORT ID 47649
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Wed, 3 Apr 2019 15:17:33 -0400
Real quick: content:"|23|_memberAccess"; fast_pattern:only; http_uri:; <- this content is looking for @_memberAccess, an ognl command, in the URI field of HTTP traffic. content:"ognl."; http_uri:; <- this content looks for the first part of an ognl command in the URI pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui"; <- this PCRE looks for the same ognl string followed by some common commands usch as ognl.OgnlContext. Again in the URI. This rule is attempting to detect the exploitation of the vuln referenced in the rule and pointed out in the previous email by Waldo Kitty. The network traffic you included resembles that found in exploitation traffic, specifically one investigated at http://www.voidcn.com/article/p-fhhxkdhd-zw.html (in chinese, needs translation) If you are using Cisco Firepower you may want to open a Support/TAC case to see if there's a need to take remediation steps. Thanks Alex McDonnell Cisco Talos On Wed, Apr 3, 2019 at 2:47 PM wkitty42--- via Snort-sigs < snort-sigs () lists snort org> wrote:
On 4/1/19 1:52 PM, Migell Roberts wrote:reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057;see those two reference lines above? look up the CVE and visit the cwiki site link... aside from that, looking at the rule will tell you what the matches are for the rule... if the traffic made it to your server, the server logs should tell you exactly what was being looked for... the only other thing i can think of is to look at the snort.log.xxxxxxxxxxxx file containing the pcap of the traffic... the pcap will tell you what the server cannot if the traffic didn't make it that far... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Understanding SNORT ID 47649 Migell Roberts (Apr 03)
- Re: Understanding SNORT ID 47649 wkitty42--- via Snort-sigs (Apr 03)
- Re: Understanding SNORT ID 47649 Alex McDonnell (Apr 03)
- Re: Understanding SNORT ID 47649 wkitty42--- via Snort-sigs (Apr 03)