Snort mailing list archives

New rule offered for detecting Zimbra conf/localconfig.xml attempt

From: rmkml <rmkml () yahoo fr>
Date: Wed, 15 Jan 2014 22:01:36 +0100 (CET)

Hi,

I'm offer a new rule for detecting Zimbra conf/localconfig.xml attempt.

Warn: Zimbra run over HTTPS (no pb with etplc).

alert tcp any any -> any $HTTPS_PORTS (msg:"WEB-MISC Zimbra conf/localconfig.xml attempt"; flow:to_server,established; 
content:"conf/localconfig.xml"; nocase; http_uri; reference:cve,2013-7091; reference:bugtraq,64149; 
reference:osvdb,100747; 
reference:exploitdb,30472; reference:cxsecurity,WLB-2013120097; classtype:web-application-attack; sid:1; rev:1; )

Please check all variables before use.

Discovered during my new project http://etplc.org

All comments are welcome.

Regards
@Rmkml

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

New rule offered for detecting Zimbra conf/localconfig.xml attempt rmkml (Jan 15)
- Re: [Emerging-Sigs] New rule offered for detecting Zimbra conf/localconfig.xml attempt Will Metcalf (Jan 16)