Home page logo
/

snort logo Snort mailing list archives

Re: CF Admin parser access sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 13 Dec 2013 11:14:56 -0700

On 2013-12-13 11:09, Nicholas Mavis wrote:
I'd probably remove the GET and add fast_pattern:only to the content
match on this one.

On Fri, Dec 13, 2013 at 1:02 PM, James Lay <jlay () slave-tothe-box net> 
wrote:
Meh...slow Friday (the 13th) >:)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SERVER-WEBAPP ColdFusion Admin parser access";
flow:established,to_server; content:"GET"; http_method; nocase;
content:"|2f|cfide|2f|administrator|5c|tools|5c|parser.cfm"; 
http_uri;
nocase;

reference:url,http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html;
classtype:web-application-attack; sid:10000114; rev:1;)

James

Thanks Nick...that's a better way to go:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"SERVER-WEBAPP ColdFusion Admin parser access"; 
flow:established,to_server; 
content:"|2f|cfide|2f|administrator|5c|tools|5c|parser.cfm"; http_uri; 
fast_pattern:only; nocase; 
reference:url,http://blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html;
 
classtype:web-application-attack; sid:10000114; rev:2;)

El Fixied :)

James

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault